The current version of MailCleaner originally shipped with a rather old version of the Linux kernel; version 3.16.0-11. As far as we are aware, this does not introduce any remotely exploitable vulnerabilities, so it is not essential to take any action at this time. However, some additional options do exist if you would like to upgrade this component of your system.

Precautions¶

Despite this methods being tested successfully and the new kernel working properly with the latest VM images, it is still recommended that you take a backup snapshot of your VM and schedule this upgrade outside of normal operating hours. The GRUB boot menu will let you select the older Kernel if something goes wrong, but each reboot requires some downtime and it is possible that the GRUB menu could be broken during the update. If you have not rebooted in a long time, there is the possibility of a lengthier restart procedure due to an fsck scan.

Kernel 4.9¶

The existing repository actually contains a new and supported version of the Kernel which has been tested to work with MailCleaner. You can simply upgrade with the following command:

apt update && sudo apt install linux-image-4.9-amd64

then restart your system.

Kernel 5.10 or later¶

This method is less encouraged, since it is not officially supported by Debian. It involves getting the latest LTS (long-term support) release from either a backported release from a newer Debian version or compiling a new Kernel manually. The simpler option is to get a .deb from the Debian archive with a search like:

https://packages.debian.org/search?arch=amd64&searchon=names&keywords=linux-image-5

5.10 is the latest LTS release, so the following has been tested:

http://ftp.debian.org/debian/pool/main/l/linux-signed-amd64/linux-image-5.10.0-0.bpo.11-amd64_5.10.92-1~bpo10+1_amd64.deb

Download this file using the wget command:

wget http://ftp.debian.org/debian/pool/main/l/linux-signed-amd64/linux-image-5.10.0-0.bpo.11-amd64_5.10.92-1~bpo10+1_amd64.deb

Newer Kernels have built-in drivers that the old Kernel does not, so you will probably have to remove the conflicting driver:

apt remove xserver-xorg-input-vmmouse

this will not stop your system from booting if you need to select the old Kernel from GRUB, but opening a graphical desktop may result in a non-functional mouse. Simply re-install this driver if you need to revert to the older kernel and experience a mouse issue.

Finally, install the package:

dpkg -i /root/linux-image-5.10.0-0.bpo.11-amd64_5.10.92-1~bpo10+1_amd64.deb

then reboot.

If you prefer to install an even more recent or a more generic or manually optimized Kernel, you should find more detailed instructions for that elsewhere. This is not officially supported by MailCleaner, but an experienced admin should be able to get it to work without any issues.

Automatic update?¶

Because the requirement to force a reboot and the very low potential for a failure after that reboot, MailCleaner does not plan to automatically update any currently deployed machines. It is possible that a newer version of the Kernel will be pre-configured in future VM images, but this is not currently under investigation.

Migrate to an new VM image instead?¶

If your machine has been keeping up with normal updates, there is very little to be gained from migrating your data to a new installation using the latest VM image. The pre-installed 4.9 kernel is one of the only changes that you will notice. Since the migration process takes longer and is more involved than just upgrading the kernel, it is not recommended to perform a migration just to get the new kernel. If you still want to use this method there are instructions here:

https://support.mailcleaner.net/boards/3/topics/25-cloning-the-same-mailcleaner