Please provide updated images due to exim4 security updates

[jasonhildebrand]

There were a bunch of exim4 security updates announced today, including several remote code executions.

https://lists.debian.org/debian-security-announce/2021/msg00093.html

The fixes are in buster, so it should be a matter of rebuilding images to pull the latest packages from there.
Can you please do this and push to docker hub?

[AndreGeddert]

Please priorise this. Its critical! See https://blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server

[toaomatis]

Yes, please give prio to this issue / update!

[toaomatis]

Unfortunate there is (still) no updated package available for Debian Buster
https://packages.debian.org/search?suite=default&section=all&arch=any&searchon=names&keywords=exim4-daemon-light

Buster (stable) is still at 4.92-8+deb10u6

[jasonhildebrand]

Debian security updates are generally available as soon as the security announcement is made.

4.92-8+deb10u6 is the patched version. See https://www.debian.org/security/2021/dsa-4912

[jasonhildebrand]

@oba11, are you able to rebuild the images and push to docker hub?

[issa-tseng]

alright, i pushed an alternate image again: https://hub.docker.com/repository/docker/itsissa/namshi-smtp

[AndreGeddert]

Thank you very much Issa. May i ask for the reason you dont use a latest-tag for your images?

[issa-tseng]

yeah, i am not really all that familiar w docker is why. :) happy to repush if you sample me a command.

[AndreGeddert]

yeah, i am not really all that familiar w docker is why. :) happy to repush if you sample me a command.

ok, so you used 4.92-8.deb10u6 for your tag. I guess 4.92 is die exim version and the second part is the underlying debian version.
What you can do is tag the latest image with the tag "latest" like this
docker tag itsissa/namshi-smtp:4.92-8.deb10u6 itsissa/namshi-smtp:latest
and then push this.
When you build an a new one, say 4.95-8deb10u7 you tag this new one with latest.
This way users can always pull the latest image without changing the tag, if they want.

Another more granular concept of tagging is to tag major version. Lets say you want your users to be able to stay on exim 4.x you can tag like
docker tag itsissa/namshi-smtp:4.92-8.deb10u6 itsissa/namshi-smtp:4
and when you have 4.95 you tag it as 4 again. But when you build Exim 5 you tag this as 5 and the 4 tag stays at the latest 4.x image.

[issa-tseng]

okay i think it's done! sorry it took a second

[jasonhildebrand]

FYI, because this project seems defunct/unmaintained, I searched and found a maintained fork of this project: https://github.com/ix-ai/smtp

I have switched from namshi/smtp to ixdotai/smtp. Functionally it works the same and is configured the same, but it has a newer version of Exim so it is not 100% identical (read: test and make sure it works in your environment).

In the interests of not needing to switch again, I volunteered to be a co-maintainer of ixdotai/smtp.

[AndreGeddert]

@issa-tseng maybe it makes sense to pool forces and contribute to https://github.com/ix-ai/smtp.
Thank you all for your work.