Package Update and Security Fixes and version updates

DaveOverton · June 17, 2009, 10:25pm

Couple of questions about “working as intended” for Virtualmin

Webmin was updated to 1.480 but “package update” didn’t think I needed any updates, is this as intended?
Apache has a small security hole, happens all the time, but the version of Apache in Virtualmin hasn’t been patched for it. This is okay, if it has and I just didn’t notice, but I didn’t upgrade Apache, and I am pretty sure it didn’t happen without me. So, when does the patch show up? What is considered “normal”
Awstats is updated to 6.9, but virtualmin package shows only 6.8. Just for fun I updated it anyway, and things of course broke, so what is the wait time on this kind of issue? When do things get version updates?

Just wanting to know what to expect, thats all.

Dave

Joe · June 17, 2009, 10:34pm

1. Webmin was updated to 1.480 but “package update” didn’t think I needed any updates, is this as intended?

Intended. Webmin goes out to the Webmin.com repos first, and a day or two later comes into the Virtualmin.com repos. Unless there is a security issue, in which case they go at the same time. Virtualmin.com repos get more QC testing, and we also let the community bang on it a little as well.

2. Apache has a small security hole, happens all the time, but the version of Apache in Virtualmin hasn’t been patched for it. This is okay, if it has and I just didn’t notice, but I didn’t upgrade Apache, and I am pretty sure it didn’t happen without me. So, when does the patch show up? What is considered “normal”

You’ll have to be more specific about what security issue you mean. You’ll also have to tell me what OS/version you’re running. Some systems we have nothing to do with the Apache package. Some, we rebuild with one option changed, and we try to track the OS updates very closely. If I missed one, I’d like to fix it. But, I have no idea where to look. We support over a dozen distros and versions…it’s hard to keep up sometimes.

3. Awstats is updated to 6.9, but virtualmin package shows only 6.8. Just for fun I updated it anyway, and things of course broke, so what is the wait time on this kind of issue? When do things get version updates?

What do you mean by “updated it anyway”? Updated from a third party repository? Updated from the OS stock repository? Again, I have no idea. We only provide AWstats packages on a couple of operating systems (CentOS/RHEL 4 and 5), and I rebuild the package from EPEL. So, I try to track the version in the EPEL repositories.

Which brings up the point that if you are on CentOS/RHEL, and you are feeling antsy about an old version of something, and you do want to update from some source other than our repository (assuming it’s a package we provide; and it’s not Apache, since it needs custom options), then EPEL is the place to get it. Other third party repositories will put things in possibly odd locations and lead to confusion on the part of Webmin…it just won’t know where to find the configuration files and such. It could also be broken. Third party repositories vary wildly in quality and consistency and in following packaging guidelines.

Anyway, I’m guessing a lot, since I don’t know your OS/version, so I don’t know what we provided, what version we’re currently shipping, or what version is the latest available.

DaveOverton · June 18, 2009, 1:28am

didn't upgrade Apache, and I am pretty sure it didn't happen without me. So, when does the patch show up? What is considered "normal"

You’ll have to be more specific about what security issue you mean. You’ll also have to tell me what OS/version you’re running. Some systems we have nothing to do with the Apache package. Some, we rebuild with one option changed, and we try to track the OS updates very closely. If I missed one, I’d like to fix it. But, I have no idea where to look. We support over a dozen distros and versions…it’s hard to keep up sometimes

More specific.
Apache Bug from June 9 here: http://secunia.com/advisories/35284/
(note, NOT in Apache’s httpd, but part of the distro)
My OS is CentOS Linux 5.3 64bit installed a few days ago (couple weeks?)

What do you mean by "updated it anyway"? Updated from a third party repository? Updated from the OS stock repository? Again, I have no idea. We only provide AWstats packages on a couple of operating systems (CentOS/RHEL 4 and 5), and I rebuild the package from EPEL. So, I try to track the version in the EPEL repositori

I needed RRD support for xymon (system monitor) so I setup “yum” to use “RPMforge” to get the rrdtool package. Easy to do, and then Virtualmin showed me an update to AWStats was available. Being the silly dumb type, I said yes. It failed

But you did answer my question, you use the epel repository for your reference.

Just a small note and I am sure there are others that are the same, awstats is at 6.9 on the website, has been for 6 months. Someone at epel isn’t keeping things up to date either.

Joe · June 18, 2009, 11:22pm

I’ll roll an update for Apache today. I somehow missed that one.

AWStats…It’s not a security release, is it? I’ll add it to the queue, but it might be a while before it gets done. I’ve also got a new ClamAV to roll up, and new Webmin and Usermin (and Virtualmin 3.70 is coming soon).

Joe · June 18, 2009, 11:29pm

Wait…that advisory is for apr-util. We don’t provide apr-util. That comes from the standard OS repo. So, this particular advisory isn’t something we would ever respond to (but Red Hat/CentOS would).

Nonetheless, we are a couple of revisions behind on our httpd package, so I’ll roll a refresh.