Hi Folks,
I'll start with the last mail I reply to. It makes more sense that way.
Am Sa den 12. Jul 2014 um 16:28 schrieb Graeme Fowler:
> With respect folks, this is not the right mailing list for this discussion.
>
> There is a Debian-specific support list for Exim on Debian; I suggest you
> look in your package docs and follow from there. I'm sure the distribution
> maintainers will be happy to answer any questions.
More or less true, especially if he asks something debian specific.
But parts of the discussion matches to all distributions. So I will
answer them here.
Am Sa den 12. Jul 2014 um 15:44 schrieb Adam D. Barratt:
> > > I don't think so. Without explicitly checking all the patches, but
> > > debian usually backports security relevant patches to the stable
> > > distribution.
> > I urge you to go look at what got fixed between 4.80 and 4.82 then (
> > https://lists.exim.org/lurker/list/exim-announce.html). There's a DKIM
> > hole that got patched that sounds pretty serious if you use DKIM.
>
> Do you mean CVE-2012-5671, which was fixed in exim 4.80.1 in October
> 2012? That was already fixed in Debian's package version 4.80-5.1 at the
> same time as the announcement by the exim maintainers; wheezy has 4.80-7
> - i.e.newer.
I also think that this is the bug, Michael refers to.
> Why would you expect a _stable distribution_ to contain an upstream
> version beyond the one that was current when the distribution was
> released?
And that is exactly how stable distributions, all of them, call them
debian, redhat, susi^He, ..., works. You do not want to have a major
version upgrade in a stable release.
If you want, you have to go your own way and compile the software
yourself. But then you have to take care yourself about dependencies,
security upgrades and API changes.
I know some people compiling exim themself. It is not that hard. But if
you use a stable release of a distribution, you will stay on that
particular version with distribution caring about security fixes. How
they does that might be different.
Am Sa den 12. Jul 2014 um 14:59 schrieb Michael Grant:
> > If you find a unfixed security bug you can create a bugreport with sever
> > severity.
>
> It's true, I can do this, however, I'm not the person who builds exim on
> debian, I just came along the other day and started using it because I
> needed a mailer!
Also that is how distributions work. If you find a security bug that is
not fixed, report it. The one who builds debian packages might not know
about all security bugs but most likely they monitors the relevant
informations to do so.
Especially with debian it is so easy to call »reportbug« to report your
bug. While it is a pain in the ass to file a bug in redhats bugzilla, it
is such easy to file one in debian. So please don't complain, report it.
> What you are saying implies a much larger problem that there's no
> orderly way to feed release info into the distributions.
What? I do not get this sentence.
Ah, and before you ask, no, I am not related to debian, I just uses
debian as base of the systems I build stuff on. And I reported many bugs
until now on many subsystems. Even if some of the bugs are nonsense (not
intended but came out as being my own problem) it makes sense to report
bugs.
Regards
Klaus
Ps. You do not need to send the answer to me directly, I do actively
read this list.
- --
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@???>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C