Hi all. I didn’t see a post about this in the forums so I wanted to make sure everyone was aware of this:
Uncovered in May 2019 by security company Qualys, the flaw (CVE-2019-10149) affects Exim versions 4.87 to 4.91 inclusive running on several Linux distros, the latter released as far back as 15 April 2018. The next release, version 4.92, fixed the problem on 10 February 2019 although that wasn’t realised by the software’s maintainers at the time.
I know that Debian 10 has version 4.92 of Exim. I don’t know about the Debian 9 packages.
I came across HestiaCP by accident a few days ago as was looking for a CP that I like better than ISPConfig, and I was excited to try it. It looks like a great CP. Honestly, though, I was a bit disheartened when I saw that it only works with Exim. I hope the option of using Postfix is on the roadmap.