exim 4.74 released fixes CVE-2011-0017

FWIW this is now fixed in Debian stable, testing, sid and experimental.

The initial Debian fix broke normal user filters.
$ /usr/sbin/exim4 -bf .forward
exim: changing group failed: Operation not permitted

And was fixed. exim4_4.69-9+lenny4
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611572

This bug was fixed in the package exim4 - 4.74-1ubuntu1

---------------
exim4 (4.74-1ubuntu1) natty; urgency=low

  * Merge from debian experimental. Remaining changes: (LP: #713855)
    - debian/patches/71_exiq_grep_error_on_messages_without_size.patch:
      + Improve handling of broken messages when "exim4 -bp" (mailq)
        reports lines without size info. (Closes: #528625)
    - debian/control: Don't declare a Provides: default-mta; in Ubuntu,
      we want postfix to be the default.
    - debian/{control,rules}: Add and enable hardened build for PIE.
      (Closes: #542726)
  * Update 71_exiq_grep_error_on_messages_without_size.patch to get way
    which upstream has fixed it. Probably it can be dropped with next
    upstream release.
  * This upload fixes CVE: (LP: #708023)
    - CVE-2011-0017

exim4 (4.74-1) experimental; urgency=low

  * 4.74 release, should build on hurd again.
  * Fix some lintian --pedantic issues: copyright-refers-to-symlink-license
    maintainer-script-without-set-e debian-control-has-unusual-field-spacing

exim4 (4.74~rc2-1) experimental; urgency=low

  * In spf example use spf-tools-perl's spfquery instead of the one from
    libmail-spf-query-perl. Do not try to use unimplemented best-guess
    support. Update Suggests accordingly. Closes: #608336
  * Add headers in ACL by using the add_header modifier instead of "message".
    (This modifier has been available since 4.61.) Closes: #609308
  * New upstream version.
    + includes the fix for CVE-2011-0017
    + If a non-debug daemon was invoked with a non-whitelisted macro, then
      logs from after attempting delivery would be silently lost, including
      for successful delivery. This log-loss bug was introduced in 4.73
      as part of the security lockdown. Closes: #610611
    + Update some patches.
 -- Artur Rona <email address hidden> Wed, 09 Feb 2011 21:31:35 +0100

This bug was fixed in the package exim4 - 4.69-2ubuntu0.3

---------------
exim4 (4.69-2ubuntu0.3) hardy-security; urgency=low

  * SECURITY UPDATE: local privilege escalation via alternate config file
    (LP: #697934)
    - debian/patches/80_CVE-2010-4345.dpatch: backport massive behaviour-
      altering changes from upstream git to fix issue.
    - debian/patches/81_CVE-2010-4345-docs.dpatch: backport documentation
      changes.
    - debian/patches/67_unnecessaryCopt.dpatch: Do not use exim's -C option
      in utility scripts. This would not work with ALT_CONFIG_PREFIX.
      Patch obtained from Debian's 4.69-9+lenny2.
    - Build with WHITELIST_D_MACROS=OUTGOING. After this security update,
      exim will not regain root privileges (usually necessary for local
      delivery) if the -D option was used. Macro identifiers listed in
      WHITELIST_D_MACROS are exempted from this restriction. mailscanner
      (4.79.11-2.2) uses -DOUTGOING.
    - Build with TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. After this
      security update, exim will not re-gain root privileges (usually
      necessary for local delivery) if the -C option was used. This makes
      it impossible to start a fully functional damon with an alternate
      configuration file. /etc/exim4/trusted_configs (can) contain a list
      of filenames (one per line, full path given) to which this
      restriction does not apply.
    - debian/exim4-daemon-*.NEWS: Add description of changes. Thanks to
      Debian and Andreas Metzler for the text.
    - CVE-2010-4345
  * SECURITY UPDATE: arbitrary file append via symlink attack (LP: #708023)
    - debian/patches/82_CVE-2011-0017.dpatch: check setuid and setgid return
      codes in src/exim.c, src/log.c.
    - CVE-2011-0017
  * SECURITY UPDATE: denial of service and possible arbitrary code
    execution via hard link to another user's file (LP: #609620)
    - debian/patches/CVE-2010-2023.dpatch: check for links in
      src/transports/appendfile.c.
    - CVE-2010-2023
  * SECURITY UPDATE: denial of service and possible arbitrary code
    execution via symlink on a lock file (LP: #609620)
    - debian/patches/CVE-2010-2024.dpatch: improve lock file handling in
      src/exim_lock.c, src/transports/appendfile.c.
    - CVE-2010-2024
  * debian/rules: disable debconf-updatepo so the security update doesn't
    alter translations.
 -- Marc Deslauriers <email address hidden> Tue, 08 Feb 2011 15:19:27 -0500

This bug was fixed in the package exim4 - 4.71-3ubuntu1.1

---------------
exim4 (4.71-3ubuntu1.1) lucid-security; urgency=low

  * SECURITY UPDATE: local privilege escalation via alternate config file
    (LP: #697934)
    - debian/patches/80_CVE-2010-4345.patch: backport massive behaviour-
      altering changes from upstream git to fix issue.
    - debian/patches/81_CVE-2010-4345-docs.patch: backport documentation
      changes.
    - debian/patches/67_unnecessaryCopt.dpatch: Do not use exim's -C option
      in utility scripts. This would not work with ALT_CONFIG_PREFIX.
      Patch obtained from Debian's 4.69-9+lenny2.
    - Build with WHITELIST_D_MACROS=OUTGOING. After this security update,
      exim will not regain root privileges (usually necessary for local
      delivery) if the -D option was used. Macro identifiers listed in
      WHITELIST_D_MACROS are exempted from this restriction. mailscanner
      (4.79.11-2.2) uses -DOUTGOING.
    - Build with TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. After this
      security update, exim will not re-gain root privileges (usually
      necessary for local delivery) if the -C option was used. This makes
      it impossible to start a fully functional damon with an alternate
      configuration file. /etc/exim4/trusted_configs (can) contain a list
      of filenames (one per line, full path given) to which this
      restriction does not apply.
    - debian/exim4-daemon-*.NEWS: Add description of changes. Thanks to
      Debian and Andreas Metzler for the text.
    - CVE-2010-4345
  * SECURITY UPDATE: arbitrary file append via symlink attack (LP: #708023)
    - debian/patches/82_CVE-2011-0017.patch: check setuid and setgid return
      codes in src/exim.c, src/log.c.
    - CVE-2011-0017
  * SECURITY UPDATE: denial of service and possible arbitrary code
    execution via hard link to another user's file (LP: #609620)
    - debian/patches/CVE-2010-2023.patch: check for links in
      src/transports/appendfile.c.
    - CVE-2010-2023
  * SECURITY UPDATE: denial of service and possible arbitrary code
    execution via symlink on a lock file (LP: #609620)
    - debian/patches/CVE-2010-2024.patch: improve lock file handling in
      src/exim_lock.c, src/transports/appendfile.c.
    - CVE-2010-2024
  * debian/rules: disable debconf-updatepo so the security update doesn't
    alter translations.
 -- Marc Deslauriers <email address hidden> Tue, 08 Feb 2011 11:31:29 -0500

This bug was fixed in the package exim4 - 4.72-1ubuntu1.1

---------------
exim4 (4.72-1ubuntu1.1) maverick-security; urgency=low

  * SECURITY UPDATE: local privilege escalation via alternate config file
    (LP: #697934)
    - debian/patches/80_CVE-2010-4345.patch: backport massive behaviour-
      altering changes from upstream git to fix issue.
    - debian/patches/81_CVE-2010-4345-docs.patch: backport documentation
      changes.
    - debian/patches/67_unnecessaryCopt.dpatch: Do not use exim's -C option
      in utility scripts. This would not work with ALT_CONFIG_PREFIX.
      Patch obtained from Debian's 4.69-9+lenny2.
    - Build with WHITELIST_D_MACROS=OUTGOING. After this security update,
      exim will not regain root privileges (usually necessary for local
      delivery) if the -D option was used. Macro identifiers listed in
      WHITELIST_D_MACROS are exempted from this restriction. mailscanner
      (4.79.11-2.2) uses -DOUTGOING.
    - Build with TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. After this
      security update, exim will not re-gain root privileges (usually
      necessary for local delivery) if the -C option was used. This makes
      it impossible to start a fully functional damon with an alternate
      configuration file. /etc/exim4/trusted_configs (can) contain a list
      of filenames (one per line, full path given) to which this
      restriction does not apply.
    - debian/exim4-daemon-*.NEWS: Add description of changes. Thanks to
      Debian and Andreas Metzler for the text.
    - CVE-2010-4345
  * SECURITY UPDATE: arbitrary file append via symlink attack (LP: #708023)
    - debian/patches/82_CVE-2011-0017.patch: check setuid and setgid return
      codes in src/exim.c, src/log.c.
    - CVE-2011-0017
  * debian/rules: disable debconf-updatepo so the security update doesn't
    alter translations.
 -- Marc Deslauriers <email address hidden> Tue, 08 Feb 2011 09:46:29 -0500

This bug was fixed in the package exim4 - 4.69-11ubuntu4.2

---------------
exim4 (4.69-11ubuntu4.2) karmic-security; urgency=low

  * SECURITY UPDATE: local privilege escalation via alternate config file
    (LP: #697934)
    - debian/patches/80_CVE-2010-4345.dpatch: backport massive behaviour-
      altering changes from upstream git to fix issue.
    - debian/patches/81_CVE-2010-4345-docs.dpatch: backport documentation
      changes.
    - debian/patches/67_unnecessaryCopt.dpatch: Do not use exim's -C option
      in utility scripts. This would not work with ALT_CONFIG_PREFIX.
      Patch obtained from Debian's 4.69-9+lenny2.
    - Build with WHITELIST_D_MACROS=OUTGOING. After this security update,
      exim will not regain root privileges (usually necessary for local
      delivery) if the -D option was used. Macro identifiers listed in
      WHITELIST_D_MACROS are exempted from this restriction. mailscanner
      (4.79.11-2.2) uses -DOUTGOING.
    - Build with TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. After this
      security update, exim will not re-gain root privileges (usually
      necessary for local delivery) if the -C option was used. This makes
      it impossible to start a fully functional damon with an alternate
      configuration file. /etc/exim4/trusted_configs (can) contain a list
      of filenames (one per line, full path given) to which this
      restriction does not apply.
    - debian/exim4-daemon-*.NEWS: Add description of changes. Thanks to
      Debian and Andreas Metzler for the text.
    - CVE-2010-4345
  * SECURITY UPDATE: arbitrary file append via symlink attack (LP: #708023)
    - debian/patches/82_CVE-2011-0017.dpatch: check setuid and setgid return
      codes in src/exim.c, src/log.c.
    - CVE-2011-0017
  * SECURITY UPDATE: denial of service and possible arbitrary code
    execution via hard link to another user's file (LP: #609620)
    - debian/patches/CVE-2010-2023.dpatch: check for links in
      src/transports/appendfile.c.
    - CVE-2010-2023
  * SECURITY UPDATE: denial of service and possible arbitrary code
    execution via symlink on a lock file (LP: #609620)
    - debian/patches/CVE-2010-2024.dpatch: improve lock file handling in
      src/exim_lock.c, src/transports/appendfile.c.
    - CVE-2010-2024
  * debian/rules: disable debconf-updatepo so the security update doesn't
    alter translations.
 -- Marc Deslauriers <email address hidden> Tue, 08 Feb 2011 13:41:17 -0500

This was fixed some time ago in http://www.ubuntu.com/usn/usn-1060-1/.