Followup work from CVE-2019-10149 (last month) has revealed
a further vulnerability.  This is the first notification
outside the Exim developers; we expect to be mailing
distros@vs.openwall.org within a few days.

These identifiers:
     CVE-2019-13917
     OVE-20190718-0006
are being used to track the vulnerability.


Exim versions 4.85 through 4.92 are affected.
Only systems using relatively unusual configuration
files are affected.

The vulnerability, if present given the configuration,
is exploitable either remotely or locally and could
be used to execute other programs with root privilege.
Details of the exploit will depend on the affected part
of the Exim configuration.

A source-level fix has been prepared but has not
yet been publicised.  A patch is being prepared.
A timeline for public release will be given in
a follow-up to this mail once the patch is ready.
