On Fri, May 07, 2021 at 11:54:25AM +0100, Andy Bennett wrote:
>Hi,
>
>>which is less than the fixed 4.94.2 version. And indeed I see the
>>same presumably vulnerable version listed for buster here:
>>
>>https://packages.debian.org/search?keywords=exim4&searchon=names&exact=1&suite=all§ion=all
>>
>>That list suggests that only sid (unstable), bullseye (testing), and
>>buster-backports have a fix.
>
>The red "security" tag means that there's a version of that package in
>the security repo (deb
>http://apt-cacher.lon.bitfolk.com/debian/security.debian.org/
>buster/updates main contrib) rather than the main distribution.
>
>It's red to draw your attention to this fact rather than because
>there's necessarily an outstanding security vulnerability.
Thanks, that's good to know. I wonder how they expect people to
discover that when there is no explanation of that on the page. It
would not be hard to add a tooltip or footnote which gives more
information.
>If you've got the security line (in parens above) in your apt
>sources.list file then you should get the patches when you upgrade.
I already had that, but nothing from LWN made me expect that 4.92.x
would be fixed. With hindsight, I could have checked
/usr/share/doc/exim4/changelog.Debian.gz.
>The stuff in the security repo is rolled up, along with other fixes,
>in main distribution point releases ( deb
>http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/
>buster main contrib ) which happen from time-to-time.
>
>It's true that it's tricky to know exactly which things are patched in
>particular revisions without further work tho'.
Indeed. That's why it's standard practice to list specific versions
showing which distro packages have the fixes.
