On Fri, May 07, 2021 at 11:06:37AM +0100, Adam Spiers wrote:
>And indeed I see the
>same presumably vulnerable version listed for buster here:
>
> https://packages.debian.org/search?keywords=exim4&searchon=names&exact=1&suite=all§ion=all
>
>That list suggests that only sid (unstable), bullseye (testing), and
>buster-backports have a fix.
>
>My sources.list is:
>
> deb http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/ stable main contrib
> deb-src http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/ stable main contrib
>
> deb http://apt-cacher.lon.bitfolk.com/debian/security.debian.org/ stable/updates main
> deb-src http://apt-cacher.lon.bitfolk.com/debian/security.debian.org/ stable/updates main
>
> deb http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/ stable-updates main
> deb-src http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/ stable-updates main
>
>Presumably that means I need to add buster-backports to get it.
>I'll try that now.
Well that was slightly more painful than it probably should have been,
but I managed it by adding the following source:
deb http://deb.debian.org/debian buster-backports main
which is documented at
https://backports.debian.org/Instructions/
According to
https://tools.bitfolk.com/wiki/Apt-cacher#Available_mirrors
I should have been able to prepend apt-cacher.lon.bitfolk.com/debian/
but
deb http://apt-cacher.lon.bitfolk.com/debian/deb.debian.org/debian buster-backports main
did not work.
Furthermore, as the backports instructions explain, all backports are
deactivated by default (i.e. the packages are pinned to 100), so a
simple "apt install exim4" won't work; instead you need
apt install exim4/buster-backports
I'm sure there's some package pinning voodoo which mitigates the need
for this suffix, but I always found Debian's handling of package
priorities confusing and never got the hang of it.