Suggestions: Upgrade core packages


#1

I noticed a number of suggestions for upgrading what I would call core packages in the suggestion list (see Software Installations category)

To me items like upgrade imagemagik, mysql, cvs etc just to name a few are core packages and should always be automatically maintained at current versioning because so many packages (like phpbb, gallery, coppermine etc) rely on having these modules kept at current releases.

For example, ImageMagick (current version 6.22) Dreamhost is running 5.4.4 which is well over a few years old, and has known security vulnerabilities.

It seems a little odd and worrying that we have to vote to keep these packages upto date.

What do you all think??


WP/Gallery2 Integration Community -> http://wpg2.ozgreg.com/


#2

ImageMagick should definitely be upgraded, suffers from a buffer overflow that can be executed from someone uploading a nasty TIFF.

happylittlethings.com


#3

We aren’t voting on whether or not the updates should be made (they obviously should). What we are voting on is the priority of the updates. If there are more votes for MySQL than ImageMagik, it does not mean that DH customers only want to see only MySQL updated and not ImageMagik. It means that DH customers would like to see MySQL updated sooner than ImageMagik.


MacManX.com
I don’t work here. I’m just your typical support forum volunteer.


#4

Sorry to disagree that is not the way the suggestions are worded… IE: Upgrade to ImageMagick 6

That to me is worded in a way that indicates we are voting to upgrade imagemagick to version 6 not when should we do this.

Regardless of the wording, I feel that the customers should not be deciding when to upgrade these package. Instead this should be a core admin responsibility to ensure that the centrally installed modules (such as imagemagick) is kept upto date.

As it has been said, some of these modules have security issues.

I have no concerns in voting to update modules but as I posted, I feel that voting to upgrade modules that are core modules (ie CVS, imagemagick, mysql) is just not right.


WP/Gallery2 Integration Community -> http://wpg2.ozgreg.com/


#5

There certainly is something perverse about it.

I think lottery would be a better way, personally. Each week there should be a lottery on which server and what piece of core software gets updated to the most recent bugfix release.


#6

I have actually raised a support request on imagemagick making them aware of the security exploit.


WP/Gallery2 Integration Community -> http://wpg2.ozgreg.com/


#7

Laughs,

Lottery will do it :slight_smile: However I was just hoping for a Dreamhost Statement along the lines of the following modules / software / libraries are considered core and will always be kept / maintained at the latest stable release levels.


WP/Gallery2 Integration Community -> http://wpg2.ozgreg.com/


#8

For example, ImageMagick (current version 6.22) Dreamhost is running 5.4.4 which is well over a few years old, and has known security vulnerabilities.

Note that Debian backports its security patches to older versions, so it’s unlikely that the version installed here is actually vulnerable.

Debian changelog for imagemagick (4:5.4.4.5-1woody6)


If you want useful replies, ask smart questions.


#9

So, the way to 1) see if there is a security vulnerability, 2) to get soem action, is to try to exploit the bug… if you can, it will get DHs attention (of course their solution may be to uninstall it completely). If it doesnt work, then you know it’s not vulnerable.

I dont know anything about imagemagic, but I do know that runnng the brand new release of software is a bad idea for web servers. Most companies wait for it to be out a while, and be deemed ‘stable’ before they install it.

What breaks from 5.4.4 to 6.22? You going to recode for all those customers who’s sites go down?

There is a whole lot that goes into deciding to do an upgrade or not, and until you have tested the exploit, you really can’t claim they havent fixed it.

-Jason

I40.com - Home Page
MP3Mystic - Personal Streaming Music server.
(No longer hosted with Dreamhost)


#10

Jason’s comments here are good and I’ll elaborate a bit.

We rely on Debian’s provided versions of the majority of our software. Debian has a general policy to not do major software version updates within a release of the distribution. They do that for stability reasons. Upgrading any installed software on any of our servers has the potential to break some number of existing websites. For all of the people who want the latest and greatest version of some software, there are probably 10 other people who just want their website to work and continue working.

That said, we do maintain quite a lot of our own custom Debian packages (several hundred) and we do install some from the Debian backports.org project sometimes. Every package we maintain ourselves requires us to do all of the work for that package including all security updates. That work for a single package is not that big of a deal, but it can add up very fast.

We have found that the vast majority of users do not need the additional features of the latest versions of most packages so it is not worth the extra time and effort required to maintain those packages ourselves most of the time. We did just recently go ‘off-road’ and on our own for the python and ruby packages we have installed after a number of requests for those. We do pay attention to the suggestions. Those help us determine what things are most important to most of our users. If something is important enough to enough people, it is worth the effort to maintain and handle any possible website breakage.

We don’t make any guarantees about what version of any particular software package we have installed. Our ‘core’ packages are things like Apache, which we use to host every website. We also maintain PHP ourselves and have added several non-default options at the request of our users.

Note that we are very flexible in what we allow our users to do. You are free and able to install your own updated versions of pretty much any software out there, if you have the necessary technical skills.

Also, regarding the security concerns, Debian applies security patches to older versions of software when there is a security problem rather than updating to a newer, potentially incompatible, version. We are very on top of security updates and is very unlikely that any software we have installed has any exploits. Things can fall through the cracks however, so we appreciate you contacting us if you do find any exploits.

  • Dallas
  • DreamHost Head Honcho/Founder