Patch your mail server now! An EXIM vulnerability allows to run commands as root.
There are more than 4 millions mail servers affected by the new vulnerability (CVE-2019-10149) RCE in Exim. Please make sure your mail server or your hosting provider uses the latest version of one of the most popular mail server EXIM. Affected versions are 4.87 - 4.91. Although, the newest version of EXIM 4.92 has been released on 10th of February 2019, most distributions of Linux still has an older version.
Most patches has already been released for all major distributions:
Please note that any older version of Debian (older then Jessie) has not received any security updated and you need to consider moving to the newest available Debian version. There will not be any EXIM patches for CentOS/RHEL version 5.x or older.
- Debian Stretch has updated the package with the patched version of EXIM - 4.89-2+deb9u4. Date reported 5th of June 2019.
- Debian Jessie has received security updates as well. The version is 4.84.2-2+deb8u5
- Debian Buster and Sid already use the newest packages of Exim.
- CentOS 5-7 and RHEL 6/7 should upgrade to the newest package as well.
- Ubuntu 14.04 or Trusty Tahr has received patches with the following package - Exim 4.82-3ubuntu2.4
- For Ubuntu 16.04 LTS or Xenial Xerus Exim 4.86.2-2ubuntu2.3 is available
- For Ubuntu 17.10 the updated version of the package is 4.89-5ubuntu1.3
- Ubuntu 18.04 Bionic has received Exim 4.90.1-1ubuntu1
To update Debian or Ubuntu based distros please use the following commands
sudo apt-get update
sudo apt-get upgrade or sudo apt-get install exim4
After that please verify if the right package has been installed
dpkg --list |grep exim
debsecan | grep -i CVE-2018-6789
To enable the latest version 4.92
yum --enablerepo=epel=testing update exim
sudo yum update
For Fedora distributions please install the following package:
sudo dnf update
For CentOS or Rhel 6/7 you can upgrader the packages by running:
rpm -q --changelog exim | grep CVE-2018-6789