some more info at Sophos products and the Bash vulnerability (Shellshock) although the up2date doesn't seem to be mentioned, it does state that the UTM can't execute bash from any exposed services. Hopefully that applies to 8.x and 9.1x as well.
Barry, the way I read the warning was that it's one of the processes that Exim does with the contents of the header. The internal processes of Exim are in question, not the exposed processes. I don't know which cgi scripts are used by the UTM in Exim, nor whether the bash fix took this new (discovered last week) exploit into account, so I don't know whether to worry about this.
Cheers - Bob
Sophos UTM Community Moderator Sophos Certified Architect - UTM Sophos Certified Engineer - XG Gold Solution Partner since 2005
Bob - Exim would not be vulnerable to bash. If exim uses bash in a script, bash may be vulnerable. However, if bash is patched, other products using bash (like Exim, apache, etc.) would be safe as well.
That being said, and slightly off topic, it still may be vulnerable (and I think it is) to POODLE attacks aimed at SSLv3 support in services like exim, etc..