In the past 2 or 3 days theres been 2 or 3 security updates according to suse watcher. Now these "red" items are unchecked and I suppose thats because they are specially compiled by virtualmin staff to do what they need to do, but that means we are way behind in security updates, updates that would allow hackers to crash our machines by buffer overflows etc.
What exactly is being done about this, anything?
I realize that the opensource community can come out with updates faster than virtualmin staff can since you’ve got so much to do, but it makes me feel a bit queery when I can’t or am not supposed to update the kernetl because it’s been compiled by you folks, which means unless you fix it, it stays the same, and is vunurable to the hacks that the yast software manager updater states.
IM rather concerned about this, perhaps you could briefly explain why your apache is not vunurable to these attacks while the regular apache 2.x is?.
We don’t touch the kernel. We don’t even look at it funny.
There are only a couple of packages that come from us that replace SUSE packages (apache2 packages, mainly, because we have to point suexec docroot somewhere else). Anything else, we’ve got nothing to do with. If I’ve missed an apache update from SUSE, let me know in the bug-tracker, and I’ll get an update rolled out within a couple of hours. I’m on a couple of security lists from SUSE, but I may be missing something important (SUSE is new to me, so I don’t know a lot about how to stay on top of it–I’m open to being educated on what I’m missing). I’ve gone to great lengths to use only packages provided by the OS vendor, because I believe, as you do, that the OS vendor is going to have a lot more resources to devote to keeping things secure and stable than we ever could.
Please do upgrade your kernel! It certainly isn’t going to effect us, and we’ve done nothing to prevent you from updating it.