Exim Security Vulnerability 2019-06-07

Hi all. I didn’t see a post about this in the forums so I wanted to make sure everyone was aware of this:

Action required! Exim mail servers need urgent patching
07 JUN 2019

Uncovered in May 2019 by security company Qualys, the flaw (CVE-2019-10149) affects Exim versions 4.87 to 4.91 inclusive running on several Linux distros, the latter released as far back as 15 April 2018. The next release, version 4.92, fixed the problem on 10 February 2019 although that wasn’t realised by the software’s maintainers at the time.

I know that Debian 10 has version 4.92 of Exim. I don’t know about the Debian 9 packages.

I came across HestiaCP by accident a few days ago as was looking for a CP that I like better than ISPConfig, and I was excited to try it. It looks like a great CP. Honestly, though, I was a bit disheartened when I saw that it only works with Exim. I hope the option of using Postfix is on the roadmap.


Hi Dan

All common distributions have already released new versions of exim, that will fix the security issue.

Postfix is not on the roadmap, exim does fullfill the requirements completly. A already fixed security issue alone is, in my point of view, not a reason to change the whole mail stack.

Debian 10 will be supported with release 1.1.0, which should follow in a few weeks.

So you want to abandon a software just because a zero day vulnerability was reported ? in this way, you won’t be able to use any software because all of them have bugs and vulnerabilites, it is just a matter of time when it is discovered.
Exim is the oldest MTA and still actively being developed. The vulernability was patched even before it could spread. So you are just “apt update” away on old servers and on new ones it will be latest patch installed already.

:crazy_face: Whoa horsey! Let’s chill out. I said nothing about abandoning anything just because of a single vulnerability of one of its components. I haven’t even tried Hestia yet, much less abandoned it. I just wanted to make sure everyone was aware that they needed to update Exim and made a passing comment that I was disappointed that Postfix wasn’t supported. Evidently that’s a touchy subject.

Anyhoo. I have a VM with Debian 10 set up, ready to give Hestia a try. Looking forward to the 1.1.0 release.