Out of Date¶

IMPORTANT: Debian has recently shut down their repositories for Jessie. Any of the steps below will only be possible if you are able to configure a third-party repository which still offers Jessie sources. At this time, the only solution to an out-of-date kernel will be to upgrade to a newer version of Debian. This is not possible to do at this time either. The MailCleaner team is currently working on the next major release of the product, based on Debian Bookworm and will announce the release as soon as it is available.

The remainder of the article is here for your information in case you do have access to an active Jessie repository, and so that it can be repurposed for the next release when a new kernel is available.

Old Instructions¶

MailCleaner currently ships with a rather old version of the Linux kernel; version 3.16.0-11. As far as we are aware, this does not introduce any remotely exploitable vulnerabilities, so it is not essential to take any action at this time. However, some additional options do exist if you would like to upgrade this component of your system.

Precautions¶

Despite this methods being tested successfully, it is still recommended that you schedule this upgrade outside of normal operating hours. The GRUB boot menu will let you select the older Kernel if something goes wrong, but each reboot requires some downtime. If you have not rebooted in a long time, there is the possibility of a lengthier restart procedure due to an fsck scan. You may wish to take a snapshot prior to either upgrade to show extra caution.

Also note that in some cases, we have discovered that there may be an issue running Docker with these newer Kernels. We are investigating this issue. You may wish to hold off on the update until a resolution is found if you run Docker on your machine. This should not be the case for most users.

Kernel 4.9¶

The existing repository actually contains a new and supported version of the Kernel which has been tested to work with MailCleaner. You can simply upgrade with the following command:

apt update && sudo apt install linux-image-4.9-amd64

then restart your system.

Kernel 5.10 or later¶

This method is less encouraged, since it is not officially supported by Debian. It involves getting the latest LTS (long-term support) release from either a backported release from a newer Debian version or compiling a new Kernel manually. The simpler option is to get a .deb from the Debian archive with a search like:

https://packages.debian.org/search?arch=amd64&searchon=names&keywords=linux-image-5

5.10 is the latest LTS release, so the following has been tested:

http://ftp.debian.org/debian/pool/main/l/linux-signed-amd64/linux-image-5.10.0-0.bpo.11-amd64_5.10.92-1~bpo10+1_amd64.deb

Download this file using the wget command:

wget http://ftp.debian.org/debian/pool/main/l/linux-signed-amd64/linux-image-5.10.0-0.bpo.11-amd64_5.10.92-1~bpo10+1_amd64.deb

Newer Kernels have built-in drivers that the old Kernel does not, so you will probably have to remove the conflicting driver:

apt remove xserver-xorg-input-vmmouse

this will not stop your system from booting if you need to select the old Kernel from GRUB, but opening a graphical desktop may result in a non-functional mouse. Simply re-install this driver if you need to revert to the older kernel and experience a mouse issue.

Finally, install the package:

dpkg -i /root/linux-image-5.10.0-0.bpo.11-amd64_5.10.92-1~bpo10+1_amd64.deb

then reboot.

If you prefer to install an even more recent or a more generic or manually optimized Kernel, you should find more detailed instructions for that elsewhere. This is not officially supported by MailCleaner, but an experienced admin should be able to get it to work without any issues.

Automatic update?¶

Because the requirement to force a reboot and the very low potential for a failure after that reboot, MailCleaner does not plan to automatically update any currently deployed machines. It is possible that a newer version of the Kernel will be pre-configured in future VM images, but this is not currently under investigation.