New to Ubuntu ,need help in krb5 upgrading 1.10+dfsg~beta1-2ubuntu0.6

Asked by Kadambari on 2015-03-18

I am new to Ubuntu,
I have one server ubuntu 12.04 LTS, it has below krb5 version, i need to upgrade it so i have downloaded the below .deb in my home, i need procedure.

krb5-admin-server_1.10+dfsg~beta1-2ubuntu0.6_amd64.deb (91.8 KiB) krb5-gss-samples_1.10+dfsg~beta1-2ubuntu0.6_amd64.deb (24.5 KiB) krb5-kdc-ldap_1.10+dfsg~beta1-2ubuntu0.6_amd64.deb (89.4 KiB) krb5-kdc_1.10+dfsg~beta1-2ubuntu0.6_amd64.deb (188.6 KiB) krb5-multidev_1.10+dfsg~beta1-2ubuntu0.6_amd64.deb (120.4 KiB) krb5-pkinit_1.10+dfsg~beta1-2ubuntu0.6_amd64.deb (52.2 KiB) krb5-user_1.10+dfsg~beta1-2ubuntu0.6_amd64.deb (111.9 KiB) libgssapi-krb5-2_1.10+dfsg~beta1-2ubuntu0.6_amd64.deb (115.1 KiB) libgssrpc4_1.10+dfsg~beta1-2ubuntu0.6_amd64.deb (56.1 KiB) libk5crypto3_1.10+dfsg~beta1-2ubuntu0.6_amd64.deb (78.2 KiB) libkadm5clnt-mit8_1.10+dfsg~beta1-2ubuntu0.6_amd64.deb (37.8 KiB) libkadm5srv-mit8_1.10+dfsg~beta1-2ubuntu0.6_amd64.deb (53.2 KiB) libkdb5-6_1.10+dfsg~beta1-2ubuntu0.6_amd64.deb (36.6 KiB) libkrb5-3_1.10+dfsg~beta1-2ubuntu0.6_amd64.deb (346.5 KiB) libkrb5-dbg_1.10+dfsg~beta1-2ubuntu0.6_amd64.deb (1.6 MiB) libkrb5-dev_1.10+dfsg~beta1-2ubuntu0.6_amd64.deb (10.7 KiB) libkrb5support0_1.10+dfsg~beta1-2ubuntu0.6_amd64.deb (24.0 KiB)

Also i need to know:
1. Is there a way to upgrade krb5 with single command then using so many .deb
2. What should be order of installation of these .deb so tht i dont run into dependency issue.
3. How can i ensure only these packages are upgraded without affecting other softwares.
4. does this upgrade need server reboot.
5. i have copied all .deb to /usr/local/mydebs on my server as local repository and mentioned same in sources.list

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
2015-03-24
Last reply:
2015-03-25

Extra info:

Reason why i am looking in for this upgrade of krb5, is i understood there is DOS vulnerability on exisitng version for Ubuntu 12.04 LTS in http://www.ubuntu.com/usn/usn-2498-1/ ,
below is my existing version so i need to upgrade, please advice:

$ dpkg -s libkadm5srv-mit8
Package `libkadm5srv-mit8' is not installed and no info is available.
Use dpkg --info (= dpkg-deb --info) to examine archive files,
and dpkg --contents (= dpkg-deb --contents) to list their contents.

$ dpkg -s libk5crypto3
Package: libk5crypto3
Status: install ok installed
Architecture: amd64
Source: krb5
Version: 1.10+dfsg~beta1-2ubuntu0.3

:~$ dpkg -s krb5-kdc-ldap
Package `krb5-kdc-ldap' is not installed and no info is available.
Use dpkg --info (= dpkg-deb --info) to examine archive files,
and dpkg --contents (= dpkg-deb --contents) to list their contents.
:~$ dpkg --info libk5crypto3
dpkg-deb: error: failed to read archive `libk5crypto3': No such file or directory
$ dpkg -s libkdb5-6
Package `libkdb5-6' is not installed and no info is available.
Use dpkg --info (= dpkg-deb --info) to examine archive files,
and dpkg --contents (= dpkg-deb --contents) to list their contents.
$ dpkg -s libkrb53
Package `libkrb53' is not installed and no info is available.
Use dpkg --info (= dpkg-deb --info) to examine archive files,
and dpkg --contents (= dpkg-deb --contents) to list their contents.
$ dpkg -s krb5-pkinit
Package `krb5-pkinit' is not installed and no info is available.
Use dpkg --info (= dpkg-deb --info) to examine archive files,
and dpkg --contents (= dpkg-deb --contents) to list their contents.
$ dpkg -s libkadm5clnt-mit8
Package `libkadm5clnt-mit8' is not installed and no info is available.
Use dpkg --info (= dpkg-deb --info) to examine archive files,
and dpkg --contents (= dpkg-deb --contents) to list their contents.

$ dpkg -s libkrb5-3
Package: libkrb5-3
Status: install ok installed
Architecture: amd64
Source: krb5
Version: 1.10+dfsg~beta1-2ubuntu0.3

$ dpkg -s krb5-user
Package `krb5-user' is not installed and no info is available.
Use dpkg --info (= dpkg-deb --info) to examine archive files,
and dpkg --contents (= dpkg-deb --contents) to list their contents.

$ dpkg -s krb5-kdc
Package `krb5-kdc' is not installed and no info is available.
Use dpkg --info (= dpkg-deb --info) to examine archive files,
and dpkg --contents (= dpkg-deb --contents) to list their contents.

$ dpkg -s libgssrpc4
Package `libgssrpc4' is not installed and no info is available.
Use dpkg --info (= dpkg-deb --info) to examine archive files,
and dpkg --contents (= dpkg-deb --contents) to list their contents.

$ dpkg -s libkrb5support0
Package: libkrb5support0
Status: install ok installed
Architecture: amd64
Source: krb5
Version: 1.10+dfsg~beta1-2ubuntu0.3

$ dpkg -s libgssapi-krb5-2
Package: libgssapi-krb5-2
Status: install ok installed
Architecture: amd64
Source: krb5
Version: 1.10+dfsg~beta1-2ubuntu0.3

Manfred Hampl (m-hampl) said : #2

Why do you want to upgrade only the krb5 packages, but not other packages where there might be patches for severe bugs available (thinking of openssl with heartbleed and freak bugs, or bash with shellshock)

The recommended way to upgrade packages is using the package management tools.
For a server the usual way is using the apt-get command (provided that the system has access to a public Ubuntu mirror server).

The command sequence

sudo apt-get update
sudo apt-get dist-upgrade

will reload the local inventory of the available packages and will then download and install all packages where updates are available.

If you want to upgrade only one package (and its required dependencies), this should be possible with

sudo apt-get update
sudo apt-get install "packagename"

In your case maybe this command is enough:
sudo apt-get install libkrb5-3

You can test that command with
apt-get --simulate install libkrb5-3

And finally about the necessity of a reboot: if a process is permanently running on your system, then it will still access the old version even after an update. Only new-started processes will access the new versions. So a reboot might be necessary.

There are PPAs:
https://launchpad.net/ubuntu/+ppas?name_filter=krb5

But you will need to search for ones supporting Precise.

These carry the usual caveats of PPAs, I don't advise these for professional / business systems.

Thanks for your explanation Manfred, i am looking in for this upgrade of krb5, is because i understood there is DOS vulnerability on exisitng version for Ubuntu 12.04 LTS as mentioned in http://www.ubuntu.com/usn/usn-2498-1/ so i need to fix it for my customer,

Also i do not want to go for entire server package upgrade as we have customer customized packages installed on the server and i do not want to create issue for applications by package upgrade as i am not sure of the upgrade myself, i had built server for customer with my RHEL linux understanding and not comfortable enough to manage Ubuntu package upgrade.

Just one more query is why do i just need to install libkrb5-3 , will the libk5crypto3 , libkrb5support0 and libgssapi-krb5-2 be taken care and upgraded to Version 1.10+dfsg~beta1-2ubuntu0.6 from Version: 1.10+dfsg~beta1-2ubuntu0.3 as they are also installed on my system?

Once i get downtime approval from customer i would try test command you justed apt-get --simulate install libkrb5-3

Thanks for your guidance,

Manfred Hampl (m-hampl) said : #5

You can do the simulation

apt-get --simulate install libkrb5-3

at any time, because that will not change anything, just display what the real command would do; and this simulation will not interfere with the running server.

I expect that upgrading libkrb5-3 with apt-get will also upgrade all dependent packages, and I suppose that also the other krb5 packages will be upgraded.

Just test that command

If it tells you that it would upgrade not all of the packages that are already installed, then you would have to add the other packages as well, e.g.

apt-get --simulate install libkrb5-3 libk5crypto3
(for testing) respectively
sudo apt-get install libkrb5-3 libk5crypto3
(for real execution)

By the way, if you do not keep all packages on the current version, but only selectively upgrade packages, are you sure that on your system you have patched versions of the packages where severe security bugs were published recently?

What is the output of the commands

dpkg -l | grep libssl
dpkg -l | grep bash

Thanks for your reply on libkrb5-3 libk5crypto3.
We have a security team which informs about any vulnerabilities and we take action for it as per customer downtime.

$ dpkg -l | grep libssl
ii libssl1.0.0 1.0.1-4ubuntu5.12 (we have upgrade this one)

We would upgrade bash,glibc,krb5 together once customer gives downtime
$ dpkg -l | grep bash
ii bash 4.2-2ubuntu2.1

I would also like to know if we go for overall server patching then does Ubuntu have facility to exclude packages(software) which should not be upgraded, like we have in Redhat as some applications need to run on older versions only so how can we restrict this in Ubuntu.

For my server i have opened access to the below:
deb-src http://213.136.29.218/ubuntu/ precise main restricted universe multiverse
But not sure if all will get upgraded correctly or i will run into dependencies , will server boot correctly after this upgrade.

Manfred Hampl (m-hampl) said : #7

Your system seems to be vulnerable for both the heartbleed and shellshock vulnerabilities!

For correcting the openssl bugs you need libssl1.0.0 version 1.0.1-4ubuntu5.14 or higher (on precise), see http://www.ubuntu.com/usn/usn-2232-1/

For correcting the bash bug you need bash version 4.2-2ubuntu2.3 or higher (on precise), see http://www.ubuntu.com/usn/usn-2363-1/

What you need in your sources.list is (in my opinion):

deb http://213.136.29.218/ubuntu/ precise main restricted universe multiverse
deb http://213.136.29.218/ubuntu/ precise-updates main restricted universe multiverse
deb http://213.136.29.218/ubuntu/ precise-security main restricted universe multiverse

(i.e. "deb" instead of "deb-src", and "precise-updates" and "precise-security" in addition to "precise").

Yes, you can "pin" packages to certain versions. This means that such package will not be upgraded, even if a higher version would be available. ("sudo apt-mark hold packagename")

This seems to be a server that is important for the customer. Can't you afford having a small test system where you can try upgrading and/or changing something on the configuration, before you apply that to the live system?

Hi Manfred,

I just spoke with the customer, we need to upgrade bash urgently,

i wanted to know if i can do the bash upgrade online without the downtime.

What i plan to do is :
I have downloaded bash_4.2-2ubuntu2.5_amd64.deb in my home on the server.

$ dpkg -l | grep bash
ii bash 4.2-2ubuntu2.1 (current)

I would do the below:
dpkg -i bash_4.2-2ubuntu2.5_amd64.deb

Then verify using $ dpkg -l | grep bash

Will this need a reboot?

Manfred Hampl (m-hampl) said : #9

Why bash_4.2-2ubuntu2.5_amd64.deb? The latest version (with the bug fixes for CVE-2014-6277 and CVE-2014-6278) is bash_4.2-2ubuntu2.6_amd64.deb

If a process is already running and has the bash executable open, it will not switch over to the newer version but will continue to use the old version. The newer version will only be used when that process is restarted, or after a reboot of the server.

If there are no such processes, then a reboot is not required. I do not know whether you have processes running that have the bash binary permanently open. It should be possible to identify processes that have the bash file open with the command
sudo ls -l /proc/*/fd/* | grep bash

hi Manfred,

Thanks again,

I downloaded the bash_4.2-2ubuntu2.5_amd64.deb and would use it instead.

I have one more query,

To patch the entire server with all latest available packages for Ubuntu 12.04 LTS i am planning to do the below:

1. Add below to my source.list:
deb http://213.136.29.218/ubuntu/ precise main restricted universe multiverse
deb http://213.136.29.218/ubuntu/ precise-updates main restricted universe multiverse
deb http://213.136.29.218/ubuntu/ precise-security main restricted universe multiverse

2.sudo apt-get update
3.sudo apt-get dist-upgrade

Let me know if above procedure is sufficient and correct for Ubuntu server upgrade.

I wanted to know if i can obtain list of all packages that would get updated before the actual upgrade,something like dry run, in RHEL we have yum check-update so i can send it to my customer to know packages which should not be upgraded and then i would hold them with command you told me earlier:
sudo apt-mark hold packagename
Also i guess need to hold packages one by one using above command...Is there a way to exclude number of packages together?

do we need to off-hold them after patching or so...

Thanks,

Manfred Hampl (m-hampl) said : #11

Again: Why bash_4.2-2ubuntu2.5_amd64.deb?
The package that you want to install has two severe bugs (CVE-2014-6277 and CVE-2014-6278) that are corrected only in bash_4.2-2ubuntu2.6_amd64.deb

You can test what package upgrades apt-get would do with the commands

sudo apt-get update
apt-get --simulate dist-upgrade

And once again: Don't you have a chance to use a simple PC as test system, where you can duplicate the setup of your server to verify what the live system would do?

hi, Sorry i did typo, i meant i downloaded bash_4.2-2ubuntu2.6_amd64.deb , so would update it using dpkg -i bash_4.2-2ubuntu2.6_amd64.deb...

For patching i have asked customer for server clone am not sure if i will get one for testing, so was looking to know which packages to hold if i want to refrain from patching:
As suggested by you i would use --simulate dist-upgrade and see the list and then use
sudo apt-mark hold packagename (to exclude packagaes)
And then probably system reboot, i am still not sure if my kernel will be upgraded , my existing kernel is 3.11.0-15-generic, do i need to upgrade it ? or will the below source list upgrade kernel automatically to latest available stable kernel or will upgrade only the packages and leave kernel as is...

Thanks for your help so far...probably i have to keep writing on the post to learn the basics of Ubuntu

1. Add below to my source.list:
deb http://213.136.29.218/ubuntu/ precise main restricted universe multiverse
deb http://213.136.29.218/ubuntu/ precise-updates main restricted universe multiverse
deb http://213.136.29.218/ubuntu/ precise-security main restricted universe multiverse

2.sudo apt-get update
3.sudo apt-get --simulate dist-upgrade
4.sudo apt-mark hold packagename
5.sudo apt-get dist-upgrade
6.reboot
Would check

Manfred Hampl (m-hampl) said : #13

For a simulation you do not need sudo, so command number 3 in your list could be issued as
apt-get --simulate dist-upgrade

3.11.0-15-generic is no standard kernel for Ubuntu 12.04. This was a kernel for Ubuntu Saucy in December 2013, that was provided for trusty with the LTS-HWE-Saucy add-on which is not supported any more.
I do not know how you installed that one, so I cannot tell whether there will be an upgrade to a higher version with the apt-get commands.

What is the output of the diagnostic command
hwe-support-status --verbose

see also https://wiki.ubuntu.com/1204_HWE_EOL

hi,

i have installed a VM using iso - ubuntu-12.04.4-server-amd64

$ hwe-support-status --verbose
hwe-support-status: command not found

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04.4 LTS
Release: 12.04
Codename: precise

Manfred Hampl (m-hampl) said : #16

Did you install the live server from the same source (i.e. the 12.04.4 server amd64 iso)?
In that case test-running the package upgrade should provide quite similar results to what you can expect for the live server. To get a complete picture, you should install all additional software that you have on the live server also to the test system before trying the upgrade.

yes i mounted 12.04.4 server amd64 iso on VMware host and installed a Ubuntu VM using it.

OK i will make a offline clone of this VM when i get downtime from customer, then on the original server would try the below:

1. Add below to my source.list:
deb http://213.136.29.218/ubuntu/ precise main restricted universe multiverse
deb http://213.136.29.218/ubuntu/ precise-updates main restricted universe multiverse
deb http://213.136.29.218/ubuntu/ precise-security main restricted universe multiverse

2.sudo apt-get update
3.sudo apt-get --simulate dist-upgrade
4.sudo apt-mark hold packagename
5.sudo apt-get dist-upgrade
6.reboot

if it works fine else will bring up the clone so i am at old situation again and then download and install glibc and ssl latest packages to fix thier vulnerabilities at minimum.

so is my server at trouble with 12.04.4 LTS and kernel 3.11.0-15-generic ?

Manfred Hampl (m-hampl) said : #18

"so is my server at trouble with 12.04.4 LTS and kernel 3.11.0-15-generic ?"

Your system is at a status which was the standard a year ago. without the improvements and error corrections that have been developed since the original publication date of 12.04.4.

Can you help with this problem?

Provide an answer of your own, or ask Kadambari for more information if necessary.

To post a message you must log in.