Michael Grant <mgrant@???> wrote:
> On Sat, Jul 12, 2014 at 9:20 AM, Klaus Ethgen <Klaus+exim@???> wrote:
>> Am Sa den 12. Jul 2014 um 1:05 schrieb Michael Grant:
>>> Does anyone on this list know what the state of getting 4.82.1 (or
>>> whatever is latest) into the backports repository for Debian is?
>>
>> You can add a wishlist bug for it.
>>
>>> It seems like this is quite urgent as there are some serious
>>> sounding security fixes since 4.80!
>>
>> I don't think so. Without explicitly checking all the patches, but
>> debian usually backports security relevant patches to the stable
>> distribution.
> I urge you to go look at what got fixed between 4.80 and 4.82 then (
> https://lists.exim.org/lurker/list/exim-announce.html). There's a
> DKIM hole that got patched that sounds pretty serious if you use DKIM.
> The latest version in Debian's wheezy distribution is 4.80 from
> 02-Jan-2013 -- more than 18 months ago! There is no back-port from
> Jessie. Why? Still don't think so?
> Are you implying that debian has in fact patched these security problems
> but still calls it 4.80? I'm finding that hard to believe.
That is the case. SuSE, RedHat and Ubuntu work the same way. The version
of the package stays the same, because no new features or anything are
added, just the seucurity bugs (where applicable) are patched, either by
backporting the fix from a newer version or by crafting an own patch.
The DKIM bug with CVE-2012-5671 you noted was fixed in 4.80.1 announced
26-Oct-2012 and was fixed in the Debian version of exim4 4.80-5.1 on
25-Oct-2012, one day before the public release of the bugfix, as you can
see in the changelog:
http://metadata.ftp-master.debian.org/changelogs//main/e/exim4/exim4_4.80-7_changelog
I know several of the Debian Exim maintainers personally and I know they
are on top of things concerning security.
Grüße,
Sven.
--
Sigmentation fault. Core dumped.