Overnight a vulnerability was announced for exim4 that allows attackers to execute code as the user running the exim daemon.
It hasn't been patched upstream yet, and there's no CVE number yet.
There is a mitigation, however. You should add the following to the main section of your exim configuration:
Hosts running Debian-based distros
The default option for
chunking_advertise_hosts was changed in package version 4.88-5 of
exim4 back in January such that it is not advertised by default, and thus not enabled. This means that if your machine is running a version of exim earlier than 4.88, or between 4.88-5 and 4.89-3, and you've not deliberately altered the
chunking_advertise_hosts, then your machine is not vulnerable.
This with the default configuration hosts running
* Debian stretch, jessie-backports
* Symbiosis stretch
* Ubuntu zesty,
artful, or bionic
are not vulnerable.
You can telnet to your machine to test:
$ telnet my.host.name 25
telnet my.host.name 25
Connected to my.host.name.
Escape character is '^]'.
220 my.host.name ESMTP Exim 4.89 Sat, 25 Nov 2017 09:23:32 +0000
and the server should respond
250-my.host.name Hello onlyme [2001:41c9::2]
If there is no mention of
CHUNKING in that list, then your server is not vulnerable.