There is 1 open security issue in buster.
1 issue left for the package maintainer to handle:
sa-exim 4.2.1 allows attackers to execute arbitrary code if they can write a .cf file or a rule. This occurs because Greylisting.pm relies on eval (rather than direct parsing and/or use of the taint feature). This issue is similar to CVE-2018-11805.
You can find information about how to handle this issue in the security team's documentation.