docker-smtp icon indicating copy to clipboard operation
docker-smtp copied to clipboard
verified publisher icon namshi

Please provide updated images due to exim4 security updates

Open jasonhildebrand opened this issue 4 years ago • 12 comments

There were a bunch of exim4 security updates announced today, including several remote code executions.

https://lists.debian.org/debian-security-announce/2021/msg00093.html

The fixes are in buster, so it should be a matter of rebuilding images to pull the latest packages from there. Can you please do this and push to docker hub?

jasonhildebrand avatar May 04 '21 15:05 jasonhildebrand

Please priorise this. Its critical! See https://blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server

AndreGeddert avatar May 06 '21 09:05 AndreGeddert

Yes, please give prio to this issue / update!

toaomatis avatar May 07 '21 07:05 toaomatis

Unfortunate there is (still) no updated package available for Debian Buster https://packages.debian.org/search?suite=default&section=all&arch=any&searchon=names&keywords=exim4-daemon-light

Buster (stable) is still at 4.92-8+deb10u6

toaomatis avatar May 07 '21 08:05 toaomatis

Debian security updates are generally available as soon as the security announcement is made.

4.92-8+deb10u6 is the patched version. See https://www.debian.org/security/2021/dsa-4912

jasonhildebrand avatar May 10 '21 15:05 jasonhildebrand

@oba11, are you able to rebuild the images and push to docker hub?

jasonhildebrand avatar May 21 '21 16:05 jasonhildebrand

alright, i pushed an alternate image again: https://hub.docker.com/repository/docker/itsissa/namshi-smtp

issa-tseng avatar Aug 11 '21 23:08 issa-tseng

Thank you very much Issa. May i ask for the reason you dont use a latest-tag for your images?

AndreGeddert avatar Aug 12 '21 10:08 AndreGeddert

yeah, i am not really all that familiar w docker is why. :) happy to repush if you sample me a command.

issa-tseng avatar Aug 13 '21 02:08 issa-tseng

yeah, i am not really all that familiar w docker is why. :) happy to repush if you sample me a command.

ok, so you used 4.92-8.deb10u6 for your tag. I guess 4.92 is die exim version and the second part is the underlying debian version. What you can do is tag the latest image with the tag "latest" like this docker tag itsissa/namshi-smtp:4.92-8.deb10u6 itsissa/namshi-smtp:latest and then push this. When you build an a new one, say 4.95-8deb10u7 you tag this new one with latest. This way users can always pull the latest image without changing the tag, if they want.

Another more granular concept of tagging is to tag major version. Lets say you want your users to be able to stay on exim 4.x you can tag like docker tag itsissa/namshi-smtp:4.92-8.deb10u6 itsissa/namshi-smtp:4 and when you have 4.95 you tag it as 4 again. But when you build Exim 5 you tag this as 5 and the 4 tag stays at the latest 4.x image.

AndreGeddert avatar Aug 13 '21 13:08 AndreGeddert

okay i think it's done! sorry it took a second

issa-tseng avatar Aug 18 '21 01:08 issa-tseng

FYI, because this project seems defunct/unmaintained, I searched and found a maintained fork of this project: https://github.com/ix-ai/smtp

I have switched from namshi/smtp to ixdotai/smtp. Functionally it works the same and is configured the same, but it has a newer version of Exim so it is not 100% identical (read: test and make sure it works in your environment).

In the interests of not needing to switch again, I volunteered to be a co-maintainer of ixdotai/smtp.

jasonhildebrand avatar Sep 09 '21 17:09 jasonhildebrand

@issa-tseng maybe it makes sense to pool forces and contribute to https://github.com/ix-ai/smtp. Thank you all for your work.

AndreGeddert avatar Sep 12 '21 15:09 AndreGeddert