Updated exim packages are available, which fix a problem when handling certain types of addresses with some configurations. The default configuration does not exhibit this problem.
When the local exim configuration directs or routes an address to a pipe transport without verifying that the local part is valid, the command encoded in the local part will be executed. This problem does not apply to pipes run from alias or forward files since the local part is verified in that case. However if, for example, all incoming mail is filtered in some way (perhaps with a virus checker) without verifying that the local part is valid then your site may be affected by this problem. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2001-0889 to this issue. It is recommended that all exim users upgrade to provided packages.
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center