Hi Peter,
I believe the security team were stuck between this behaviour and
leaving users vulnerable. See http://www.ubuntu.com/usn/usn-2933-1/ for
details. There's also information in
/usr/share/doc/exim4-config/NEWS.Debian.
If there's some way to solve this that fixes the security problem and
I don't follow this - simply restarting exim after the patch fixes the
security issue. keep_environment and add_environment will be unset, so
you'll get warnings in the logs, but both will be empty by default, so
no environment will be kept, which will work unless there is some
environment needed