On Sat, 2014-07-12 at 14:59 +0100, Michael Grant wrote:
> On Sat, Jul 12, 2014 at 9:20 AM, Klaus Ethgen <Klaus+exim@???> wrote:
> > Am Sa den 12. Jul 2014 um 1:05 schrieb Michael Grant:
> > > Does anyone on this list know what the state of getting 4.82.1 (or
> > > whatever is latest) into the backports repository for Debian is?
[...]
> > > It seems like this is quite urgent as there are some serious sounding
> > > security fixes since 4.80!
> >
> > I don't think so. Without explicitly checking all the patches, but
> > debian usually backports security relevant patches to the stable
> > distribution.
> >
>
> I urge you to go look at what got fixed between 4.80 and 4.82 then (
> https://lists.exim.org/lurker/list/exim-announce.html). There's a DKIM
> hole that got patched that sounds pretty serious if you use DKIM.
Do you mean CVE-2012-5671, which was fixed in exim 4.80.1 in October
2012? That was already fixed in Debian's package version 4.80-5.1 at the
same time as the announcement by the exim maintainers; wheezy has 4.80-7
- i.e.newer.
> The
> latest version in Debian's wheezy distribution is 4.80 from 02-Jan-2013 --
> more than 18 months ago!
Why would you expect a _stable distribution_ to contain an upstream
version beyond the one that was current when the distribution was
released?
> There is no back-port from Jessie. Why? Still
> don't think so?
>
> Are you implying that debian has in fact patched these security problems
> but still calls it 4.80? I'm finding that hard to believe.
That's how most distributions that make stable releases work. Updates
are made to fix security problems and sometimes other issues, not by
pulling in entire new upstream releases in the vast majority of cases.
For the record,
https://www.debian.org/security/faq#oldversion isn't
that difficult to find.
Regards,
Adam