A memory corruption vulnerability exists in Exim versions 4.69 and older. This vulnerability may lead to arbitrary code execution with the privileges of the user executing the Exim daemon. The vulnerability relies upon "rejected_header" being enabled (default setting) in the log_selector configuration.
To resolve this issue on Linux systems, users are urged to upgrade to a version of exim that is 4.70 or higher. FreeBSD systems should be running Exim 4.72 by default, which is not affected by this issue.
Additional information regarding this vulnerability is discussed on the exim mailing list. The following post includes the Exim development team's response:
http://www.exim.org/lurker/message/20101210.164935.385e04d0.en.html
In summary, the exim team responded in the aformentioned post as follows:
> Given that the remote flaw was fixed over a year ago and does not affect
> current releases of Exim, and given the existence of the
> ALT_CONFIG_ROOT_ONLY option to avoid the local privilege escalation, the
> Exim team has decided that there is no immediate need to rush a new
> release of Exim out the door.
>
> We plan to remove the ALT_CONFIG_ROOT_ONLY option (making the code
> always behave as it currently does if that option is set), and then take
> steps to restore the esoteric functionality that is lost by doing so,
> and release a new version of Exim in good time.
FYI,
Gordon
