Mailing List Archive

Question regarding exim 4.96 CVE-2022-3559
Hi,

I am currently building an rpm from the exim source for 4.96 located here
--> https://ftp.exim.org/pub/exim/exim4/

I am looking to build exim 4.96 however I noticed that all the tar balls in
this mirror and all others look to be dated back to Jun. I was wondering if
this is intentional or maybe a better question is how often these tarballs
are updated after which the mirror will display them.

The main reason I ask is I am looking at making sure our current install of
exim 4.96 we have built includes the fix required for CVE-2022-3559 which
the commit for this is here -->
https://git.exim.org/exim.git/commitdiff/4e9ed49f8f12eb331b29bd5b6dc3693c520fddc2

I noticed that the current dated tarballs in all mirrors doesn't include
this commit.

So I guess I am after more information on how often sources for the mirrors
used for exim are kept up to date or if the sources simply keep a tag
release of 4.96 and any future changes are expected to be patched in by the
user building exim using the source?

I am happy to look into patching the tarball my side if required in the
build however thought I would ask the above here before going to the
trouble to better understand the process. Any help people can give me would
be much appreciated.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Question regarding exim 4.96 CVE-2022-3559 [ In reply to ]
On 11/11/2022 14:12, Adam Stackhouse via Exim-users wrote:
> the sources simply keep a tag
> release of 4.96 and any future changes are expected to be patched in by the
> user building exim using the source?

This.

Another option for you, if you want bleeding-edge, would be a git tree.
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/