Re: keeping the packages up to date
- From: "Brian McKee" <brian.mckee@xxxxxxxxx>
- Date: Sun, 29 Jun 2008 16:16:57 -0400
On Sun, Jun 29, 2008 at 2:35 PM, Michael P. Varre <mvarre@xxxxxxxxxxxx> wrote:
Yes, if you are subscribed to the repositories.
-----Original Message-----So do you mean to say that even though my Apache2 version is to 2.0.55, and up to date form the package repository, it is still actually up to date with regards to security fixes?
From: ubuntu-users-bounces@xxxxxxxxxxxxxxxx [mailto:ubuntu-users-
bounces@xxxxxxxxxxxxxxxx] On Behalf Of Mario Vukelic
Sent: Sunday, June 29, 2008 12:33 PM
To: Ubuntu user technical support, not for general discussions
Subject: Re: keeping the packages up to date
On Sun, 2008-06-29 at 12:19 -0400, Michael P. Varre wrote
I've noticed that many major packages for things such as Apache2 and
PHP5 don't really stay up to date too much. For instance the newest
package available using aptitude is 2.0.55, yet the newest available
on apache.org is 2.0.63.
<snip>
However, do many have an issue running these systems that are so out
of date due to security concerns?
Are many admins out there really running Ubuntu LTS in production
environments that face the internet?
It is the policy of Debian (and Ubuntu does the same) to backport only
security fixes in a stable release cycle. That is, they don't push out
the new upstream version with all its changes, but just pull out the
security fixes and apply them to the Ubuntu version.
This is done do minimize the amount of changes in a package update, and
thus make it more predictable. I don't use ubuntu-server or apache, but
i am pretty confident that you will find all upstream security fixes
mentioned in the Ubuntu security advisories that accompany the updates.
You can subscribe to those announcements on the appropriate mailing
list
(and if you are running a server, you probably should check them. The
recent openssh-in-Debian fiasco is a reminder that not all security
fixes can be solved by package updates - in this case, keys had to be
regenerated and distributed manually).
See https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
How would I know that for sure? I understand I can keep my eye on the security announcement list, however is there a way for me to know what exactly is up to date within my packages (that have old version numbers).
Try 'aptitude changelog apache2' to show what they've done with each
version (or poke around in Synaptic if you use the GUI for the change
logs). It'll show you what you are looking for.
Brian
--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
- Follow-Ups:
- RE: keeping the packages up to date
- From: Michael P. Varre
- RE: keeping the packages up to date
- References:
- keeping the packages up to date
- From: Michael P. Varre
- Re: keeping the packages up to date
- From: Mario Vukelic
- RE: keeping the packages up to date
- From: Michael P. Varre
- keeping the packages up to date
- Prev by Date: Re: Can't Burn audio
- Next by Date: pcmcia slot
- Previous by thread: RE: keeping the packages up to date
- Next by thread: RE: keeping the packages up to date
- Index(es):
Relevant Pages
|
