Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please provide updated images due to exim4 security updates #81

Open
jasonhildebrand opened this issue May 4, 2021 · 12 comments
Open

Comments

@jasonhildebrand
Copy link

There were a bunch of exim4 security updates announced today, including several remote code executions.

https://lists.debian.org/debian-security-announce/2021/msg00093.html

The fixes are in buster, so it should be a matter of rebuilding images to pull the latest packages from there.
Can you please do this and push to docker hub?

@AndreGeddert
Copy link

@toaomatis
Copy link

Yes, please give prio to this issue / update!

@toaomatis
Copy link

toaomatis commented May 7, 2021

Unfortunate there is (still) no updated package available for Debian Buster
https://packages.debian.org/search?suite=default&section=all&arch=any&searchon=names&keywords=exim4-daemon-light

Buster (stable) is still at 4.92-8+deb10u6

@jasonhildebrand
Copy link
Author

jasonhildebrand commented May 10, 2021

Debian security updates are generally available as soon as the security announcement is made.

4.92-8+deb10u6 is the patched version. See https://www.debian.org/security/2021/dsa-4912

@jasonhildebrand
Copy link
Author

@oba11, are you able to rebuild the images and push to docker hub?

@issa-tseng
Copy link
Contributor

alright, i pushed an alternate image again: https://hub.docker.com/repository/docker/itsissa/namshi-smtp

@AndreGeddert
Copy link

AndreGeddert commented Aug 12, 2021

Thank you very much Issa. May i ask for the reason you dont use a latest-tag for your images?

@issa-tseng
Copy link
Contributor

issa-tseng commented Aug 13, 2021

yeah, i am not really all that familiar w docker is why. :) happy to repush if you sample me a command.

@AndreGeddert
Copy link

yeah, i am not really all that familiar w docker is why. :) happy to repush if you sample me a command.

ok, so you used 4.92-8.deb10u6 for your tag. I guess 4.92 is die exim version and the second part is the underlying debian version.
What you can do is tag the latest image with the tag "latest" like this
docker tag itsissa/namshi-smtp:4.92-8.deb10u6 itsissa/namshi-smtp:latest
and then push this.
When you build an a new one, say 4.95-8deb10u7 you tag this new one with latest.
This way users can always pull the latest image without changing the tag, if they want.

Another more granular concept of tagging is to tag major version. Lets say you want your users to be able to stay on exim 4.x you can tag like
docker tag itsissa/namshi-smtp:4.92-8.deb10u6 itsissa/namshi-smtp:4
and when you have 4.95 you tag it as 4 again. But when you build Exim 5 you tag this as 5 and the 4 tag stays at the latest 4.x image.

@issa-tseng
Copy link
Contributor

okay i think it's done! sorry it took a second

@jasonhildebrand
Copy link
Author

FYI, because this project seems defunct/unmaintained, I searched and found a maintained fork of this project: https://github.com/ix-ai/smtp

I have switched from namshi/smtp to ixdotai/smtp. Functionally it works the same and is configured the same, but it has a newer version of Exim so it is not 100% identical (read: test and make sure it works in your environment).

In the interests of not needing to switch again, I volunteered to be a co-maintainer of ixdotai/smtp.

@AndreGeddert
Copy link

AndreGeddert commented Sep 12, 2021

@issa-tseng maybe it makes sense to pool forces and contribute to https://github.com/ix-ai/smtp.
Thank you all for your work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants