Debian and Red Hat close Exim hole
Four days after a security hole was discovered in the free Exim mail server, the developers of Debian and Red Hat have released corrected versions for their Linux distributions. While the Exim version provided by Red Hat blocks root access, Debian’s new Exim contains fixes for a memory flaw that allows code to be executed with Exim user rights. However Debian's patched version does not provide any protection against the hole that allows attackers to get root rights. Before they fix that problem, the developers first want to clarify some "compatibility issues," which they plan to do as soon as possible.
The flaw has been remedied In the Exim sources since version 4.70, released at the end of 2008. The correction was not, however, marked as relevant for security and therefore was not included in older versions. Debian’s stable Lenny distribution still uses Exim 4.69, while Red Hat has 4.43.