RH 9.0 up2date

americanintel

americanintel

Verified User
Joined
Mar 1, 2004
Messages
135
Location
Granbury, TX
While I have removed the kernel from the skip list in up2date there are still other issues that may or may not apply to DA as I understand that DA doesn't use some of the default packages from RH 9.0 (Apache..etc). Would you mind discussing this a bit and covering security fixes, when and how we are notified..etc? I receive the updates when DA is updated but is there a 'security list' available?

Skipped packages from my latest up2date today:

httpd-manual 2.0.40 21.9 Pkg name/pattern
[RHSA-2003:320-09] Updated httpd packages that fix two minor security issues in the Apache Web server are now available for Red Hat Linux 8.0 and 9.

lftp 2.6.3 4 Pkg name/pattern
[RHSA-2003:403-07] Updated lftp packages are now available that fix a buffer overflow security vulnerability.

php-imap 4.2.2 17.2 Pkg name/pattern
[RHSA-2003:204-11] Updated PHP packages for Red Hat Linux 8.0 and 9 are available that fix a number of bugs, as well as a minor security problem in the transparent session ID functionality.

php-ldap 4.2.2 17.2 Pkg name/pattern
[RHSA-2003:204-11] Updated PHP packages for Red Hat Linux 8.0 and 9 are available that fix a number of bugs, as well as a minor security problem in the transparent session ID functionality.

php-mysql 4.2.2 17.2 Pkg name/pattern
[RHSA-2003:204-11] Updated PHP packages for Red Hat Linux 8.0 and 9 are available that fix a number of bugs, as well as a minor security problem in the transparent session ID functionality.

sendmail-cf 8.12.8 9.90 Pkg name/pattern
[RHSA-2003:283-09] Updated Sendmail packages that fix a potentially-exploitable vulnerability are now available.

I realize these are being called out as my install probably had these versions installed (yep, DA will install nicely anyway.. installing it's own versions/packages).

Thanks,
 
Hello,

For the most part, you should be able to update whatever you want to any version. You just have to note a few things. For one, the same program/version can be compiled in countless different ways, which may or may not affect the config files that are setup. For example, our compile of exim uses perl.o, where some public releases don't have it. Proftpd and vm-pop3d are essentially untouched, which the imapd binary has been edited to accomodate the virtual pop account. Mysql rpms/binaries are completely stock, we havn't touched them in any way. Apache and php are compiled on your system, so installing extra rpm modules will probably break them.. the best bet is to compile any additional modules yourself, or else complete abandon the cuscomapache script and install everything yourself via rpms (note that frontpage will probably not be included in the rpms if you have mod_ssl.)

Bottom line, is you can install anything you want, but you have to be careful with minor things like that.

John
 
americanintel said:
httpd-manual 2.0.40 21.9 Pkg name/pattern
[RHSA-2003:320-09] Updated httpd packages that fix two minor security issues in the Apache Web server are now available for Red Hat Linux 8.0 and 9.

lftp 2.6.3 4 Pkg name/pattern
[RHSA-2003:403-07] Updated lftp packages are now available that fix a buffer overflow security vulnerability.

php-imap 4.2.2 17.2 Pkg name/pattern
[RHSA-2003:204-11] Updated PHP packages for Red Hat Linux 8.0 and 9 are available that fix a number of bugs, as well as a minor security problem in the transparent session ID functionality.

php-ldap 4.2.2 17.2 Pkg name/pattern
[RHSA-2003:204-11] Updated PHP packages for Red Hat Linux 8.0 and 9 are available that fix a number of bugs, as well as a minor security problem in the transparent session ID functionality.

php-mysql 4.2.2 17.2 Pkg name/pattern
[RHSA-2003:204-11] Updated PHP packages for Red Hat Linux 8.0 and 9 are available that fix a number of bugs, as well as a minor security problem in the transparent session ID functionality.

sendmail-cf 8.12.8 9.90 Pkg name/pattern
[RHSA-2003:283-09] Updated Sendmail packages that fix a potentially-exploitable vulnerability are now available.

I realize these are being called out as my install probably had these versions installed (yep, DA will install nicely anyway.. installing it's own versions/packages).

Thanks,
Click to expand...

*httpd* and *php* are both compiled so you're probably better leaving them skipped, unless you are using it you should be fine removing lftp from your system then update your up2date packages list so it is no longer included, same with sendmail - just remove it from your system completely and update your system packages to not include it. You may want to recompile the other httpd and php rpms since you are more than likely vulnerable to the security reasons behind them updates.

Chris
 
I appreciate the replies. I understand what is skipped and why so let me clarify a bit more.

Since DA takes responsibility for Apache, PHP..etc by skipping them I assume DA addresses any and all security issues for those 'skipped' packages.
 
Hello,

We try and keep the versions of the software we include updated with the important security patches, and make them available from our files.directadmin.com/services/<os> server. If a version of the software comes out that only include new features that DA doesn't use, we may not update that software quickly. (example, exim 4.30). If there are any major holes with install software and security bugfixes become available, we'll get the files update on our file server as soon as we can. Note that it's up to the server admin to install all of the new software.

John
 
Do you update our licenses with these new packages when you update? Or is it our responsibility to check for updates?

If it's our responsibility, would you consider either an announcement list to inform us of new additions?

Thanks.

Jeff
 
Ok.. couple of things here, when explaining something like this please do so in detail or reference a specific section in the users manual.. which I DO read.

Also, this is something we run into on PHPNuke/NukeCops as well, unless we visit the DA forums we may or may not see the new posts in your Version Updates forum and even though I typically try to subscribe to those types of forums on other sites for updates, it seems that this works for awhile, the forums are updated, the moons align or whatever... I stop receiving updates. How about sending notices to an opt-in list of DA license holders? Update/security notifications are extremely important (yes I receive the DA 'has been updated' emails) and unless we subscribe to bugtraq..etc we may not know.

We try and keep the versions of the software we include updated with the important security patches, and make them available from our files.directadmin.com/services/<os> server.
If a version of the software comes out that only include new features that DA doesn't use, we may not update that software quickly. (example, exim 4.30). If there are any major holes with install software and security bugfixes become available, we'll get the files update on our file server as soon as we can. Note that it's up to the server admin to install all of the new software.
Click to expand...

Ok, so does this mean we tell DA to check for updates via the CP or are we supposed to go to that URL, download then somehow apply patches to our DA install?

I understand you don't necessarily update just to have the latest and greatest.

Thanks again...
 
Last edited:
The only updates available from the panel are DA updates (updates within the panel itself) additional software packaged with DA (such as exim vm-pop3d etc) must be updated by you, although the packages are provided by DirectAdmin.

The customapache build system is updated as required and available to update by following the instrcutions in the customapache build system thread...

I think that covers all the software provided by DA, besides that up2date, Yum or apt are your easiest options for most software updates.

Chris
 
ProWebUK said:
I think that covers all the software provided by DA, besides that up2date, Yum or apt are your easiest options for most software updates.
Click to expand...
Except for the packages you've installed by compiling rather than from RH RPMs.

I know you've given us a list previously and I'm sitll looking for it, but if you know what they are and can post it in this thread, it'll keep everything in one place.

I'm considering offering a DA updating service, but I don't know if anyone will want to spend the money.

And since different people have different packages, it may not even be cheap.

Jeff
 
You must log in or register to reply here.
Back
Top