-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Folks,
I'll start with the last mail I reply to. It makes more sense that way. Am Sa den 12. Jul 2014 um 16:28 schrieb Graeme Fowler: > With respect folks, this is not the right mailing list for this discussion. > > There is a Debian-specific support list for Exim on Debian; I suggest you > look in your package docs and follow from there. I'm sure the distribution > maintainers will be happy to answer any questions. More or less true, especially if he asks something debian specific. But parts of the discussion matches to all distributions. So I will answer them here. Am Sa den 12. Jul 2014 um 15:44 schrieb Adam D. Barratt: > > > I don't think so. Without explicitly checking all the patches, but > > > debian usually backports security relevant patches to the stable > > > distribution. > > I urge you to go look at what got fixed between 4.80 and 4.82 then ( > > https://lists.exim.org/lurker/list/exim-announce.html). There's a DKIM > > hole that got patched that sounds pretty serious if you use DKIM. > > Do you mean CVE-2012-5671, which was fixed in exim 4.80.1 in October > 2012? That was already fixed in Debian's package version 4.80-5.1 at the > same time as the announcement by the exim maintainers; wheezy has 4.80-7 > - i.e.newer. I also think that this is the bug, Michael refers to. > Why would you expect a _stable distribution_ to contain an upstream > version beyond the one that was current when the distribution was > released? And that is exactly how stable distributions, all of them, call them debian, redhat, susi^He, ..., works. You do not want to have a major version upgrade in a stable release. If you want, you have to go your own way and compile the software yourself. But then you have to take care yourself about dependencies, security upgrades and API changes. I know some people compiling exim themself. It is not that hard. But if you use a stable release of a distribution, you will stay on that particular version with distribution caring about security fixes. How they does that might be different. Am Sa den 12. Jul 2014 um 14:59 schrieb Michael Grant: > > If you find a unfixed security bug you can create a bugreport with sever > > severity. > > It's true, I can do this, however, I'm not the person who builds exim on > debian, I just came along the other day and started using it because I > needed a mailer! Also that is how distributions work. If you find a security bug that is not fixed, report it. The one who builds debian packages might not know about all security bugs but most likely they monitors the relevant informations to do so. Especially with debian it is so easy to call »reportbug« to report your bug. While it is a pain in the ass to file a bug in redhats bugzilla, it is such easy to file one in debian. So please don't complain, report it. > What you are saying implies a much larger problem that there's no > orderly way to feed release info into the distributions. What? I do not get this sentence. Ah, and before you ask, no, I am not related to debian, I just uses debian as base of the systems I build stuff on. And I reported many bugs until now on many subsystems. Even if some of the bugs are nonsense (not intended but came out as being my own problem) it makes sense to report bugs. Regards Klaus Ps. You do not need to send the answer to me directly, I do actively read this list. - -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <kl...@ethgen.de> Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQGcBAEBCgAGBQJTwWOdAAoJEKZ8CrGAGfasVyoMAIcCkbpWdpw9oFt1Te/9qMi7 ARYm07Z4pqt3/PSzK9RrmKuS+Ckh87rRP7knwI0PLb5SPuD8nrKdFHiPKuz2iUvW A4MRpFvJbzQanSfhWXAyvWrIlz17huRT7fRIiLyAWONOew/nt1hmZAbN7d4N+vwv ozM8LozY0wuJiBJlIWW1zCksOxaDn3Uvd5/DJe7eQtmMN0NN5TANj1x+Avz0xC0R n20UewK60CcuKr/UoIDdZUdU67OsAE74EGjPJ1eRR3vybeaBHFJQ4eZo4gVoJBs8 J8D65K0Do+rXJbbSPj+yr83qJJN7ewWp4MIaxF2bMUMiOrocPl62SF5c3jT/RVZ6 gotrTWk0WMnN74za/1ThmRdaHj+ieaOElfZ6aa1XCFwVdYEqNC76VfQbbdEUadB5 qBR3otLejDecdVTlDSay65trNBSfwbVM72cnPbCpuU88eBaiOEdEjq9pD+8GZSLl P7iiorB2j+aND+4pwZuaQczulxFwJUsi6ByAB0AAyw== =ogGA -----END PGP SIGNATURE----- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
