Exim RCE vulnerability [CVE-2023-42115]

[BillyS]

I think the amount of work is pretty much the same

Scenario 1 - I changed custom_version, Updated via Custom Build, removed custom_version. For this update, it might have taken two minute total (90% of the time waiting for the update)

Scenario 2 - DA update - I don't do automatic and I'm pretty sure you don't either . So now I have to update DA (waiting a minute for that update), then go into Custom Build, do that update (again, waiting for that update).

Pretty sure it's more efficient in Scenario 1. I'm a certified Lean Six Sigma Black Belt, and know a thing or two about process efficiency, so I'm sure I'm right.

Next time I'll be more explicit in pointing out the inefficiency of the hotfix approach. And I'm not even counting the distraction this is for DA to push out a hotfix - which will confuse many too.

 

[Active8]

Scenario 1 - I changed custom_version,

Than you suddenly forgot that you had altered the custom version and wandered why the updates don't work or worse....
No not agree with you , I am specially using an panel like DA to keep the management of the users/server simple as possible

 

[Erulezz]

That’s why i put in a request a few years back that if you have items in custom_versions.txt it is mentioned in the top of the output from da build versions

Best of both worlds, everyone can decide what works best for them

 

[Richard G]

I think the amount of work is pretty much the same

You forgot scenario 3 what I was talking about. Suppose you've got 80 servers or more.... it's a major difference then and that was what I was talking about. Not me or maybe you. And yes I have a partly da auto update. But again, it's not about me.

If it's not that very necessary to get the hotfix out a.s.a.p. then oke that's fine with me too, but I had the impression it was important. I might have been wrong, I won't deny that. But I'm not wrong in the time it will take if one has loads of servers.

 

[Ohm J]

It depend on your skills. but I also want to keep thing it as simple as I can.

Example: I'm programmer and Linux experience. so even 80 servers or more, I just make program to automatical config/setting in all server. if needed.

But I'm still lazy to make stupid program to fixed small thing in all servers.

 

[fln]

Yes. Auto-update feature and doing minimal amount of work to receive an update makes much more sense when you have a big fleet of servers to manage.

These recent exim security issues were really scary before details were publicly disclosed. But turned out to be not that bad later. Recent glibc local privilege escalation bug looks much nastier (for shared hosting environments). Local privilege escalation issues are completely irrelevant for single purpose servers (and ignored by a lot of admins managing such servers), but nightmare for shared-hosting.