Re: 'exim', version '4.69', is out of date
On Tue, 08 Dec 2009 17:48:24 -0500, Paul Cartwright wrote:
> On Tue December 8 2009, Camaleón wrote:
>> I'd say you have installed an application (rkhunter?) to detect any
>> possible hole in the system that is detecting outdated versions of the
>> above services.
> Yes, I use rkhunter, that was an rkhunter log message.
>> For example, the latest available version for Exim is 4.71, but I
>> suppose that having installed a previous version does not mean "per se"
>> to be in risk.
> I update my Debian Lenny system daily, and that is my issue. If 4.71 is
> available, why isn't it available to Lenny, or is this an rkhunter
I think nor Lenny nor Rkhunter are "failing". I'll try to explain:
- Debian Lenny (stable) is not a "rolling-update" distribution. So once
is released, it won't update packages just because there is a newer
version available "upstream". Lenny just get updated packages when there
is a security patch available for each of them. That is, "officially" you
will get only security updates. Whenever a new version of any package is
available (just the case of Exim) you can install it "by hand" and at
your own risk (by compiling, by using a backport repository, by
donwloading .deb file, etc...).
- Rkhunter is just doing its job: it advices you there is a newer version
available for those packages and that's right. Is up to you upgrading
them or not.
I, personally, would not take any step :-)
>> Just follow the advice suggested by the program and take a look into "/
>> var/log/rkhunter.log" to get more information (if any).
> basically that's what the rkhunter log says, the packages are out of
> date. But they AREN'T out of date for lenny. SO, is this a Debian Lenny
> issue, of not updating to Exim 4.71, or an rkhunter issue for telling my
> that even though I can't update to this version, I should beware?
No one's fail.
Juts remember that upgrading a package is not a easy task: many things
can fail (other packages can depend on just one package, Exim, by
instance)and that is the reason why stable versions are not upgraded "in
place". Just security patches are included by default.