diff -Nru exim4-4.90.1/debian/changelog exim4-4.90.1/debian/changelog
--- exim4-4.90.1/debian/changelog	2018-10-10 18:25:04.000000000 +0000
+++ exim4-4.90.1/debian/changelog	2019-06-04 18:44:51.000000000 +0000
@@ -1,3 +1,12 @@
+exim4 (4.90.1-1ubuntu1.2) bionic-security; urgency=medium
+
+  * SECURITY UPDATE: remote command execution
+    - debian/patches/CVE-2019-10149.patch: fix parsing logic in
+      src/deliver.c.
+    - CVE-2019-10149
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 04 Jun 2019 14:44:51 -0400
+
 exim4 (4.90.1-1ubuntu1.1) bionic; urgency=medium
 
   * d/p/eximstats_unitialized_value.patch: Fix uninitialized value error in
diff -Nru exim4-4.90.1/debian/patches/CVE-2019-10149.patch exim4-4.90.1/debian/patches/CVE-2019-10149.patch
--- exim4-4.90.1/debian/patches/CVE-2019-10149.patch	1970-01-01 00:00:00.000000000 +0000
+++ exim4-4.90.1/debian/patches/CVE-2019-10149.patch	2019-06-04 18:44:49.000000000 +0000
@@ -0,0 +1,48 @@
+From d740d2111f189760593a303124ff6b9b1f83453d Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Mon, 27 May 2019 21:57:31 +0100
+Subject: [PATCH 1/1] Fix CVE-2019-10149
+
+---
+ doc/doc-txt/ChangeLog      |  2 ++
+ doc/doc-txt/cve-2019-10149 | 36 ++++++++++++++++++++++++++++++++++++
+ src/src/deliver.c          | 22 ++++++++++++++--------
+ 3 files changed, 52 insertions(+), 8 deletions(-)
+ create mode 100644 doc/doc-txt/cve-2019-10149
+
+Index: exim4-4.90.1/src/deliver.c
+===================================================================
+--- exim4-4.90.1.orig/src/deliver.c	2019-06-04 14:44:46.307317559 -0400
++++ exim4-4.90.1/src/deliver.c	2019-06-04 14:44:46.307317559 -0400
+@@ -6228,17 +6228,23 @@ if (process_recipients != RECIP_IGNORE)
+ 	{
+ 	uschar * save_local =  deliver_localpart;
+ 	const uschar * save_domain = deliver_domain;
++	uschar * addr = new->address, * errmsg = NULL;
++	int start, end, dom;
+ 
+-	deliver_localpart = expand_string(
+-		      string_sprintf("${local_part:%s}", new->address));
+-	deliver_domain =    expand_string(
+-		      string_sprintf("${domain:%s}", new->address));
++	if (!parse_extract_address(addr, &errmsg, &start, &end, &dom, TRUE))
++	  log_write(0, LOG_MAIN|LOG_PANIC,
++                "failed to parse address '%.100s': %s\n", addr, errmsg);
++	else
++	  {
++	  deliver_localpart =
++	    string_copyn(addr+start, dom ? (dom-1) - start : end - start);
++	  deliver_domain = dom ? CUS string_copyn(addr+dom, end - dom) : CUS"";
+ 
+-	(void) event_raise(event_action,
+-		      US"msg:fail:internal", new->message);
++	  event_raise(event_action, US"msg:fail:internal", new->message);
+ 
+-	deliver_localpart = save_local;
+-	deliver_domain =    save_domain;
++	  deliver_localpart = save_local;
++	  deliver_domain = save_domain;
++	  }
+ 	}
+ #endif
+       }
diff -Nru exim4-4.90.1/debian/patches/series exim4-4.90.1/debian/patches/series
--- exim4-4.90.1/debian/patches/series	2018-10-10 18:25:04.000000000 +0000
+++ exim4-4.90.1/debian/patches/series	2019-06-04 18:44:42.000000000 +0000
@@ -9,3 +9,4 @@
 70_remove_exim-users_references.dpatch
 fix_smtp_banner.patch
 eximstats_unitialized_value.patch
+CVE-2019-10149.patch