The open_log function in log.c in Exim 4.72 and earlier does not check the return value from (1) setuid or (2) setgid system calls, which allows local users to append log data to arbitrary files via a symlink attack.
ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.74
lists.exim.org/lurker/message/20110126.034702.4d69c278.en.html
lists.opensuse.org/opensuse-security-announce/2011-02/msg00004.html
osvdb.org/70696
secunia.com/advisories/43101
secunia.com/advisories/43128
secunia.com/advisories/43243
www.debian.org/security/2011/dsa-2154
www.securityfocus.com/bid/46065
www.ubuntu.com/usn/USN-1060-1
www.vupen.com/english/advisories/2011/0224
www.vupen.com/english/advisories/2011/0245
www.vupen.com/english/advisories/2011/0364
www.vupen.com/english/advisories/2011/0464
exchange.xforce.ibmcloud.com/vulnerabilities/65028