We use Exim4 as our MTA on most servers.
A security vulnerability was announced in September 2019 under CVE-2019-15846. The vulnerability has been addressed with a patch back-ported to our OS versions.
- Exim 4.92.2 and above are NOT affected (not currently in use)
- We are using openVZ servers limited by shared kernel to use of Server Ubuntu 16.04 LTS the patched version of Exim is 4.86.2-2ubuntu2.5
- We are using KVM servers with current LTS version of Ubuntu Server 18.04 LTS and the patched version of Exim is 4.90.1-1ubuntu1.4
We believe that the patch eliminates this vulnerability on our servers. We have other technical protections in place to prevent other attacks and we will continue to watch for any security alerts.
If you are not a customer on our servers, please make sure that your servers are up-to-date and secure!
You can read more about this particular case at NIST and find additional links on their page at https://nvd.nist.gov/vuln/detail/CVE-2019-10149