Hi,
I'm a bit confused about something.
I have a server running Virtualmin GPL, currently 3.76. Some of the apache2 related modules running on it are:
apache2-doc 2.2.8-11vm
apache2-mpm-prefork 2.2.8-11vm
apache2.2-common 2.2.8-11vm
which come from the Virtualmin repository for Hardy Heron.
Problem is ... these modules were installed on the server several months ago and are (relatively) quite old. Normally this is not a problem, except that since the time these modules were installed ...
o Apache has had one or two security releases
o Ubuntu Hardy repositories also have had some security releases for Apache.
So the apache* 2.2.8-11vm packages on my server have not been updated since these security vulnerabilities have come out.
I've tried updating the package information on my server, but it doesn't find any newer apache* modules from the Virtualmin repository.
So my question is ...
Is it okay to be using these apache* 2.2.8-11vm packages? Am I pulling stuff from incorrect repositories?
Is 2.2.8-11vm the latest version of these packages?
If 2.2.8-11vm is the latest, then these packages are outdated and presumably vulnerable. What is Virtualmin's policy on security updates from upstream sources?
I hope you can clarify this. Something doesn't feel quite right.
Thank you.
EDIT: Changing title of post to be more accurate.
Also, if it helps, this is my output from an update. Executing this command didn't change my situation.
$ sudo apt-get update
Hit http://software.virtualmin.com virtualmin-hardy Release.gpg
Ign http://software.virtualmin.com virtualmin-hardy/main Translation-en_AU
Hit http://security.ubuntu.com hardy-security Release.gpg
Ign http://security.ubuntu.com hardy-security/main Translation-en_AU
Ign http://security.ubuntu.com hardy-security/restricted Translation-en_AU
Hit http://us.archive.ubuntu.com hardy Release.gpg
Ign http://us.archive.ubuntu.com hardy/main Translation-en_AU
Ign http://us.archive.ubuntu.com hardy/restricted Translation-en_AU
Hit http://software.virtualmin.com virtualmin-hardy Release
Ign http://security.ubuntu.com hardy-security/universe Translation-en_AU
Ign http://security.ubuntu.com hardy-security/multiverse Translation-en_AU
Hit http://security.ubuntu.com hardy-security Release
Hit http://software.virtualmin.com virtualmin-hardy/main Packages
Ign http://us.archive.ubuntu.com hardy/universe Translation-en_AU
Ign http://us.archive.ubuntu.com hardy/multiverse Translation-en_AU
Hit http://us.archive.ubuntu.com hardy-updates Release.gpg
Ign http://us.archive.ubuntu.com hardy-updates/main Translation-en_AU
Ign http://us.archive.ubuntu.com hardy-updates/restricted Translation-en_AU
Ign http://us.archive.ubuntu.com hardy-updates/universe Translation-en_AU
Ign http://us.archive.ubuntu.com hardy-updates/multiverse Translation-en_AU
Hit http://us.archive.ubuntu.com hardy Release
Hit http://security.ubuntu.com hardy-security/main Packages
Hit http://us.archive.ubuntu.com hardy-updates Release
Hit http://security.ubuntu.com hardy-security/restricted Packages
Hit http://security.ubuntu.com hardy-security/main Sources
Hit http://security.ubuntu.com hardy-security/restricted Sources
Hit http://security.ubuntu.com hardy-security/universe Packages
Hit http://us.archive.ubuntu.com hardy/main Packages
Hit http://us.archive.ubuntu.com hardy/restricted Packages
Hit http://us.archive.ubuntu.com hardy/main Sources
Hit http://us.archive.ubuntu.com hardy/restricted Sources
Hit http://us.archive.ubuntu.com hardy/universe Packages
Hit http://security.ubuntu.com hardy-security/universe Sources
Hit http://security.ubuntu.com hardy-security/multiverse Packages
Hit http://security.ubuntu.com hardy-security/multiverse Sources
Hit http://us.archive.ubuntu.com hardy/universe Sources
Hit http://us.archive.ubuntu.com hardy/multiverse Packages
Hit http://us.archive.ubuntu.com hardy/multiverse Sources
Hit http://us.archive.ubuntu.com hardy-updates/main Packages
Hit http://us.archive.ubuntu.com hardy-updates/restricted Packages
Hit http://us.archive.ubuntu.com hardy-updates/main Sources
Hit http://us.archive.ubuntu.com hardy-updates/restricted Sources
Hit http://us.archive.ubuntu.com hardy-updates/universe Packages
Hit http://us.archive.ubuntu.com hardy-updates/universe Sources
Hit http://us.archive.ubuntu.com hardy-updates/multiverse Packages
Hit http://us.archive.ubuntu.com hardy-updates/multiverse Sources
Reading package lists... Done
Howdy,
You should be seeing version 2.2.8-12vm.ubuntu0.14 for Apache in Virtualmin's repository.
If you aren't -- well, that's odd :-)
I verified that the actual packages are in the repo.
After running the "apt-get update" that you ran above, if you don't see a newer Apache when running "apt-get upgrade", it's possible something's wrong with the repositories metadata, and I can talk to Joe about that.
In the meantime, while it's a bit of a pain, you can always manually download the files from in here:
http://software.virtualmin.com/gpl/ubuntu/dists/virtualmin-hardy/main/bi...
Hi,
Thank you for your very prompt response.
I'd say there's likelier to be something wrong with my system setup so let me go have a look at that and report back.
Thanks, but I'd rather do things the right way because there may be other packages which aren't picked up.
Which brings me to the following questions (out of curiousity) ...
Are there any other Ubuntu packages that you modify for Virtualmin besides apache? Or are they too numerous to list?
How come you had to modify apache (if it's not too long to answer)?
Hi,
No luck in trying to get apt-get to pick up the 2.2.8-12vm.ubuntu0.14 versions.
I've tried various apt-get cleans and upgrades and installs and it's just not acknowledging any of the newer versions of the affected packages.
Here, also is the bottom of my /etc/apt/sources.list:
# deb http://archive.canonical.com/ubuntu hardy partner
# deb-src http://archive.canonical.com/ubuntu hardy partner
deb http://security.ubuntu.com/ubuntu hardy-security main restricted
deb-src http://security.ubuntu.com/ubuntu hardy-security main restricted
deb http://security.ubuntu.com/ubuntu hardy-security universe
deb-src http://security.ubuntu.com/ubuntu hardy-security universe
deb http://security.ubuntu.com/ubuntu hardy-security multiverse
deb-src http://security.ubuntu.com/ubuntu hardy-security multiverse
deb http://software.virtualmin.com/gpl/ubuntu/ virtualmin-hardy main
Can you please get someone to check the repository meta data? Or anything else you can think of that I can check?
Here's something that may or may not be interesting.
Downloading the file http://software.virtualmin.com/gpl/ubuntu/dists/virtualmin-hardy/main/bi... and then doing a grep for applicable version numbers gives:
$ grep '2.2.8-.*vm' Packages | grep Version | sort | uniqVersion: 2.2.8-10ubuntu0.6vm
Version: 2.2.8-10vm.ubuntu0.15
Version: 2.2.8-11vm
The latest version that appears in the Packages file is 2.2.8-11vm. The version string 2.2.8-12vm.ubuntu0.14 does not appear at all.
Hi,
I've added a request for this here https://www.virtualmin.com/node/14130 The .deb packages are in the repo, from what I know the "Packages*" files needs to be recreated.
daniel
Howdy,
Are there any other Ubuntu packages that you modify for Virtualmin besides apache? Or are they too numerous to list?
You can see a list of all the custom modified software by browsing the Virtualmin Ubuntu repository:
http://software.virtualmin.com/gpl/ubuntu/dists/virtualmin-hardy/main/bi...