Description of problem: Hi, On CentOs 6.X the Exim version 4.72 are considered obsolete. From the exim.org All versions of Exim previous to version 4.87 are now obsolete and everyone is very strongly recommended to upgrade to a current release. The last 3.x release was 3.36. It is obsolete and should not be used. The current version is 4.87 Version-Release number of selected component (if applicable): 4.72 is to upgrade to the last version for security How reproducible: Version on CentOs of Exim is 4.72 Steps to Reproduce: Check the version of Exim, the last avaiable Actual results: The version is 4.72 is old and every one can check my exim version in sent email header so I AM not happy to can stimolate someone to try to find vulnerabilities in an old not update version also if is patched. Expected results: Have last secure version Additional info: Please maybe also with low priority but is not low, upgrade to the last version also for user of 6.X CentOs I have not the possibility right now to go on CentOs 7 because is not ye suppoted by my provider.
As of 2016-07-06 exim 4.84 is available for EPEL 6: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-dbbb9011cd That said, if you're worried about the version of Exim being advertised then I recommend that you set the smtp_banner option. EPEL generally attempts to maintain a slower release cycle to avoid breaking people's running servers. This sometimes means that there are old version numbers with the security fixes back-ported. There will be times when the version looks old and vulnerable but is not.
Hi, thank you, I will alert my Control Panel Team to update to the version 4.84 I tried the smtp_banner but seems not work with exim 4.72 cause error on restarting exim. I will try to update to version 4.84
(In reply to Mark Chappell from comment #1) > EPEL generally attempts to maintain a slower release cycle to avoid breaking > people's running servers. This sometimes means that there are old version > numbers with the security fixes back-ported. There will be times when the > version looks old and vulnerable but is not. Yep, that was exactly the case. IMHO we had all security fixes backported. But with the last CVE it got really complicated and we had to rebase.
Thanks. There are comments who need reply on https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-dbbb9011cd ************************************* anonymous: Why this package has weird dependency of perl 5.10 as the exim 4.72 didn't have this dependency. As perl is now upto version 5.24. Can anyone explain this ? ************************************* peopleinside: Waiting for know a reply to anonymous comments. Thanks, maybe in the system where there are a most recent perl version is needed a workaround, Thanks. *************************************
(In reply to Marco Borla from comment #4) > Thanks. > > There are comments who need reply on > https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-dbbb9011cd > > ************************************* > anonymous: > Why this package has weird dependency of perl 5.10 as the exim 4.72 didn't > have this dependency. > > As perl is now upto version 5.24. > > Can anyone explain this ? > ************************************* > > > peopleinside: > Waiting for know a reply to anonymous comments. Thanks, maybe in the system > where there are a most recent perl version is needed a workaround, Thanks. > > ************************************* Are you sure? exim-4.72-7.el6.x86_64.rpm http://koji.fedoraproject.org/koji/rpminfo?rpmID=5662417 Requires: perl(:MODULE_COMPAT_5.10.1) I cannot see any problem, built with the following macros: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
Thanks I will check better. Thank you!
As from what I understood this Exim version can have issues if the perl version is 5.20
As from what I understood this Exim version can have issues if the perl version is 5.20 My Control panel have a perl version superior to the version 5.10 and seems like testing this Exim version have issues.
(In reply to Marco Borla from comment #8) > As from what I understood this Exim version can have issues if the perl > version is 5.20 > > My Control panel have a perl version superior to the version 5.10 and seems > like testing this Exim version have issues. Why do you have system perl 5.20? Is this supported? The latest system perl package in RHEL-6.9 is: perl-5.10.1-142.el6
Hi Jeroslav, is a strange situation, I AM only an user who are using a control panel and my rule is to keep my server update and secure. I don't know almost nothing about programming and now on Jenuary 2016 I found strong security vulnerability on Exim and reported to you and was fixed, that's good. Now I learn there are a new version of Exim but staff of my control panel have issue to update because seems on the different page of Exim 4.72 seems there are no dependence from perl: http://rpmfind.net/linux/RPM/mandriva/2011/x86_64/media/contrib/release/exim-4.72-8.x86_64.html and now there are: http://rpmfind.net/linux/RPM/epel/6/x86_64/exim-4.84.2-3.el6.x86_64.html I don't know why they are using perl 20 but if I test in my CentOs 6.8 I can see perl -v give me: This is perl 5, version 20, subversion 3 (v5.20.3) built for x86_64-linux Copyright 1987-2015, Larry Wall Now I AM posting for report to the control panel staff... I AM tiring to help the team as seems they can't or want post here directly. Maybe I need open a new bug / issue topic?! They have started to test the new Exim in their server and have issues so cannot release for now the update. They says perl 20 are installed from OS I don't know. Now I think is important understand as seems perl is version 20 if there are a way to use the new Exim. They provide to me the two link i provide here where in Exim 4.72 seems no dependency on perl, different from the link Exim 4.72 you sent to me where per dependency is visible. Sorry for the discussion and trouble Jeroslav, your work is very important to us.
(In reply to Marco Borla from comment #10) Hi, > http://rpmfind.net/linux/RPM/mandriva/2011/x86_64/media/contrib/release/exim- > 4.72-8.x86_64.html > This is link for Mandriva not RHEL. You cannot intermix RPM binary packages between distros. Well, in fact you can, but it's strange, unsupported, and very probably will not correctly work. The previous EPEL package is here: http://koji.fedoraproject.org/koji/rpminfo?rpmID=5662417 And you can see there is the same requirement. > I don't know why they are using perl 20 but if I test in my CentOs 6.8 I can > see perl -v give me: > In fact this is not CentOS bugzilla, but bugzilla for RHEL/EPEL/Fedora. EPEL is Red Hat unsupported extension for RHEL and the dependency is correct for RHEL. If you want to use the package you need either RHEL or compatible system (but in such case you are on your own). > This is perl 5, version 20, subversion 3 (v5.20.3) built for x86_64-linux > > Copyright 1987-2015, Larry Wall > > Now I AM posting for report to the control panel staff... I AM tiring to > help the team as seems they can't or want post here directly. > > Maybe I need open a new bug / issue topic?! > They have started to test the new Exim in their server and have issues so > cannot release for now the update. > > They says perl 20 are installed from OS I don't know. > Now I think is important understand as seems perl is version 20 if there are > a way to use the new Exim. > > They provide to me the two link i provide here where in Exim 4.72 seems no > dependency on perl, different from the link Exim 4.72 you sent to me where > per dependency is visible. > > Sorry for the discussion and trouble Jeroslav, your work is very important > to us. I understand you have trouble with it, but I cannot see any bug here (well we could loose the perl deps, but it is something we really shouldn't do for stable RHEL release). In case you cannot downgrade the perl, you can still recompile exim from SRPM for your system by running: $ rpmbuild -bb exim-4.84.2-3.el6.src.rpm
I AM using Webuzo Panel provide by softaculous.com In CentOs seems the last perl is superior to 5.10 and seems also Webuzo on testing the new Exim have issues maybe for the Perl version superior... So If I want ask needs to update the Perl version, add support for newest perl version where I have to ask? Can be a security hole continue to use Exim 4.72 as seems Webuzo for now want do... because they are at the moment unable to update to the new Exim version as is giving issues. I need understand how I can help Webuzo to find a solution. I think is very important upgrade from 4.72 of 2011 to the Exim 4.84. Any help will be appreciated. Thanks.
As I can understand the perl 5.10 supported is set by Exim so the issue of perl 5.20 not supported is because Exim don't support it at the moment? I have to contact Exim? Where I can do this?