Qualys has put out an advisory on a vulnerability in the Exim mail transfer
agent, versions 4.87 through 4.91; it allows for easy command execution by
a local attacker and remote execution in some scenarios. “To remotely
exploit this vulnerability in the default configuration, an attacker
must keep a connection to the vulnerable server open for 7 days (by
transmitting one byte every few minutes). However, because of the
extreme complexity of Exim’s code, we cannot guarantee that this
exploitation method is unique; faster methods may exist.” Sites
running Exim should upgrade to 4.92 if they have not already.

Source: LWN.net – Severe vulnerability in Exim