12/26/01
The first vulnerability is in the processing of incoming
e-mail in which the local part of the address begins with
a pipe (|) character. A remote attacker could execute arbitrary
commands by embedding the commands in the destination e-mail
address. This vulnerability is only exploitable with a run-time
configuration which routes mail directly to a pipe before performing
any checking of the local part of the address. It is not exploitable
through alias or .forward files.
Nor is it likely to be exploitable if receiver_verify is enabled
and the director for the pipe has no_verify enabled.
Exim versions prior to 3.34 are affected by this vulnerability.
6/18/01
CVE 2001-0690
The second vulnerability is in the portion of code which checks the syntax of e-mail
message headers. Due to a format string vulnerability in
the logging of errors produced by this check, it could
be possible for a remote attacker to execute arbitrary
commands.
This vulnerability is present in Exim versions prior to 3.12-10.1. It is only exploitable if the header syntax check is turned on. It is not exploitable by default.