The exim-3.22-10 has the same format string problem as one found in Debian (which has exim-3.12) http://lwn.net/daily/deb-exim.php3 The relevant part of Debian patch seems is --- exim-3.12.orig/src/accept.c +++ exim-3.12/src/accept.c @@ -2449,7 +2449,7 @@ nothing on success. The function moan_smtp_batch() does not return - it exits from the program with a non-zero return code. */ - else if (smtp_reply != NULL) moan_smtp_batch(NULL, smtp_reply); + else if (smtp_reply != NULL) moan_smtp_batch(NULL, "%s", smtp_reply); } /* Reset headers so that logging of rejects for a subsequent message doesn't --- exim-3.12.orig/src/configure.default
Thanks, I saw this.
The maintainer has indicated that this vulnerability is local only, and is not triggered by SMTP with external sites.
This is fixed in exim-3.22-14.