Those packages are downloaded and installed during the Directadmin installation process, but a predefined method of keeping these packages up-to-date seems to be missing.
The best practices on keeping your system up-to-date and secure (http://help.directadmin.com/item.php?id=247) are only mentioning the distro specific package managers (apt, yum, etc.) and the applicable custombuild commands. If only those two methods are used by a system administrator on a regular basis, they will eventually end up with outdated versions of Exim, Proftp and other services.
Currently, I have two questions about this issue:
1. What would be the best practice of keeping these custom packages up-to-date? Shouldn’t the documentation be updated on this to prevent users from running outdated software and exposing them to the resulting security risks?
2. Why do we have these custom packages at all? Most of these programs seem to be present in the distro specific package repositories, or can optionally be build using custombuild. Why not let custombuild install and update these programs, or install them from the vendors repositories.
One urgent advice I would like to give to Directadmin users is to check their versions of at least Exim and Proftpd, as these are normally exposed to the Internet. Proftp had some nasty security issues over the past years. I suspect that there are a lot of sysadmins out there that presume their systems are up-to-date, but in fact are running vulnerable services.