AndreGeddert
commented
3 years ago Please priorise this. Its critical! See https://blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server
Open jasonhildebrand opened 3 years ago
AndreGeddert
commented
3 years ago Please priorise this. Its critical! See https://blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server
toaomatis
commented
3 years ago Yes, please give prio to this issue / update!
toaomatis
commented
3 years ago Unfortunate there is (still) no updated package available for Debian Buster https://packages.debian.org/search?suite=default§ion=all&arch=any&searchon=names&keywords=exim4-daemon-light
Buster (stable) is still at 4.92-8+deb10u6
jasonhildebrand
commented
3 years ago Debian security updates are generally available as soon as the security announcement is made.
4.92-8+deb10u6 is the patched version. See https://www.debian.org/security/2021/dsa-4912
jasonhildebrand
commented
3 years ago @oba11, are you able to rebuild the images and push to docker hub?
issa-tseng
commented
3 years ago alright, i pushed an alternate image again: https://hub.docker.com/repository/docker/itsissa/namshi-smtp
AndreGeddert
commented
3 years ago Thank you very much Issa. May i ask for the reason you dont use a latest-tag for your images?
issa-tseng
commented
3 years ago yeah, i am not really all that familiar w docker is why. :) happy to repush if you sample me a command.
AndreGeddert
commented
3 years ago yeah, i am not really all that familiar w docker is why. :) happy to repush if you sample me a command.
ok, so you used 4.92-8.deb10u6 for your tag. I guess 4.92 is die exim version and the second part is the underlying debian version.
What you can do is tag the latest image with the tag "latest" like this
docker tag itsissa/namshi-smtp:4.92-8.deb10u6 itsissa/namshi-smtp:latest
and then push this.
When you build an a new one, say 4.95-8deb10u7 you tag this new one with latest.
This way users can always pull the latest image without changing the tag, if they want.
Another more granular concept of tagging is to tag major version. Lets say you want your users to be able to stay on exim 4.x you can tag like
docker tag itsissa/namshi-smtp:4.92-8.deb10u6 itsissa/namshi-smtp:4
and when you have 4.95 you tag it as 4 again. But when you build Exim 5 you tag this as 5 and the 4 tag stays at the latest 4.x image.
issa-tseng
commented
3 years ago okay i think it's done! sorry it took a second
jasonhildebrand
commented
3 years ago FYI, because this project seems defunct/unmaintained, I searched and found a maintained fork of this project: https://github.com/ix-ai/smtp
I have switched from namshi/smtp to ixdotai/smtp. Functionally it works the same and is configured the same, but it has a newer version of Exim so it is not 100% identical (read: test and make sure it works in your environment).
In the interests of not needing to switch again, I volunteered to be a co-maintainer of ixdotai/smtp.
AndreGeddert
commented
3 years ago @issa-tseng maybe it makes sense to pool forces and contribute to https://github.com/ix-ai/smtp. Thank you all for your work.
There were a bunch of exim4 security updates announced today, including several remote code executions.
The fixes are in buster, so it should be a matter of rebuilding images to pull the latest packages from there. Can you please do this and push to docker hub?