XG affected of CVE-2019-10149. When will it be fixed?

According to latest news, there seems to be a Critical Bug in EXIM Version from Version 4.87 to (and including) version 4.91.
Latest Sophos XG 17.5.5 uses EXIM 4.91 which seems to be vulnerable.

Maybe somebody of Sophos Staff could give us additional Information about this issue. I'd be interessted to know whether Sophos
plans to fix this bug immediatedly or whether it will take even Weeks or Month until this issue will be solved.

If Sophos does not plan to act immediatedly, it would be nice to know whether there is a Workarround about this... (Disabling Email Protection is definitely not accepted as a Workarround ;-) )

More Infos about the issue: https://www.tenable.com/blog/cve-2019-10149-critical-remote-command-execution-vulnerability-discovered-in-exim

  • Wow! I'm really surprised. There is a propper KB about this that I have missed in my Research so far.


    Well done!

    Edit: In KB, there is no Information about whether Sophos UTM is affected of this issue. According my Informations, Sophos UTM 9.602 uses EXIM Version 4.82 which should not be affected. Maybe anybody of Sophos Staff can acknowledge?

    Edit2: According EXIM Developers, 4.82 is outdated and should not be used anywhere... ?