Hi Klaus, On Sat, Jul 12, 2014 at 9:20 AM, Klaus Ethgen <[email protected]> wrote:
> Hi, > > Am Sa den 12. Jul 2014 um 1:05 schrieb Michael Grant: > > Does anyone on this list know what the state of getting 4.82.1 (or > > whatever is latest) into the backports repository for Debian is? > > You can add a wishlist bug for it. > > > It seems like this is quite urgent as there are some serious sounding > > security fixes since 4.80! > > I don't think so. Without explicitly checking all the patches, but > debian usually backports security relevant patches to the stable > distribution. > I urge you to go look at what got fixed between 4.80 and 4.82 then ( https://lists.exim.org/lurker/list/exim-announce.html). There's a DKIM hole that got patched that sounds pretty serious if you use DKIM. The latest version in Debian's wheezy distribution is 4.80 from 02-Jan-2013 -- more than 18 months ago! There is no back-port from Jessie. Why? Still don't think so? Are you implying that debian has in fact patched these security problems but still calls it 4.80? I'm finding that hard to believe. > > If you find a unfixed security bug you can create a bugreport with sever > severity. > It's true, I can do this, however, I'm not the person who builds exim on debian, I just came along the other day and started using it because I needed a mailer! What you are saying implies a much larger problem that there's no orderly way to feed release info into the distributions. Exim, like many other open source projects, has an announce list. Shouldn't someone who looks after security and back-ports be monitoring the announce list and dealing with these occasional events? I can understand lagging behind a few weeks or months for something less used, but Exim is hugely popular, used everywhere! I'm just so surprised when you tell me I can file a bug report to motivate someone to do something. And, the fact that someone did compile 4.82 for Debian Jessie (the testing release), there is someone out there who is interested in Exim on Debian. > > > Or is there some other source out there that has the latest exim for > > wheezy that I could add to my sources.list file? > > Especially if you care about security, you will not use some random > debian repository. There are only two alternatives: > Well frankly, I was not fishing for a random personal repository, sometimes there are well known repos out there that people use, like if exim.org had one, I'd likely trust it. > 1. Using the debian one which might not be the newest version but they > care about security > Exactly, but there isn't, and that's the entire purpose of my message. 2. Using a self compiled version with the back draw that you have to > care about the security by yourself. > I tried compiling it but it seems to suck in a lot of dependencies and there are modifications which seem to have been made for debian (paths to config files and such). I can probably get it to make but going back to compiling from source defeats the entire purpose of having a package repository, and my decisions of where to put things are likely not going to match the package maintainers which means I'm stuck always updating it from source. > > Regards > Klaus > - -- > > -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
