A flaw was found in exim, in which if the server configuration uses the ${sort } expansion, then this could be controlled by the remote attacker (e.g. $local_part, $domain), resulting in the attacker able to execute programs with root privileges. Note: The default config, as shipped by exim upstream, does not contain ${sort }. exim versions from 4.85 up to and including 4.92 are affected.
Acknowledgments: Name: Jeremy Harris
Statement: As per upstream, this exim security flaw only affects exim versions from 4.85 up to and including 4.92. Since Red Hat Enterprise Linux 5 ships exim-4.63, it is not affected by this flaw.
Mitigation: Do not use ${sort } in your exim configuration.
External References: https://www.exim.org/static/doc/security/CVE-2019-13917.txt
Created exim tracking bugs for this issue: Affects: epel-all [bug 1733411] Affects: fedora-all [bug 1733410]