7 May
2021
7 May
'21
11:03 a.m.
On Fri, May 07, 2021 at 11:54:25AM +0100, Andy Bennett wrote:
Hi,
Thanks, that's good to know. I wonder how they expect people to
discover that when there is no explanation of that on the page. It
would not be hard to add a tooltip or footnote which gives more
information.
which is less than the fixed 4.94.2 version. And
indeed I see the
same presumably vulnerable version listed for buster here:
https://packages.debian.org/search?keywords=exim4&searchon=names&ex…
That list suggests that only sid (unstable), bullseye (testing), and
buster-backports have a fix.
The red "security" tag means that there's a version of that package in
the security repo (deb
http://apt-cacher.lon.bitfolk.com/debian/security.debian.org/
buster/updates main contrib) rather than the main distribution.
It's red to draw your attention to this fact rather than because
there's necessarily an outstanding security vulnerability. If you've got the security line (in parens above)
in your apt
sources.list file then you should get the patches when you upgrade.
I already had that, but nothing from LWN made me expect that 4.92.x
would be fixed. With hindsight, I could have checked
/usr/share/doc/exim4/changelog.Debian.gz.
The stuff in the security repo is rolled up, along with
other fixes,
in main distribution point releases ( deb
http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/
buster main contrib ) which happen from time-to-time.
It's true that it's tricky to know exactly which things are patched in
particular revisions without further work tho'.
Indeed. That's why it's standard practice to list specific versions
showing which distro packages have the fixes.