PHP upgrade due to security concerns
root@mercury:/local/home/daniel/www/Recipes# apt list --upgradable | grep -i php WARNING: apt does not have a stable CLI interface. Use with caution in scripts. libapache2-mod-php/unknown 2:8.0+82+0~20210313.35+debian9~1.gbpa8195f all [upgradable from: 2:7.4+73+0~20200221.21+debian9~1.gbp29416a] libapache2-mod-php7.4/unknown 7.4.16-1+0~20210305.42+debian9~1.gbpbbe65e amd64 [upgradable from: 7.4.3-4+0~20200224.14+debian9~1.gbp0d6014] php/unknown 2:8.0+82+0~20210313.35+debian9~1.gbpa8195f all [upgradable from: 2:7.4+73+0~20200221.21+debian9~1.gbp29416a] php-common/unknown 2:82+0~20210313.35+debian9~1.gbpa8195f all [upgradable from: 2:73+0~20200221.21+debian9~1.gbp29416a] php-gd/unknown 2:8.0+82+0~20210313.35+debian9~1.gbpa8195f all [upgradable from: 2:7.4+73+0~20200221.21+debian9~1.gbp29416a] php-mysql/unknown 2:8.0+82+0~20210313.35+debian9~1.gbpa8195f all [upgradable from: 2:7.4+73+0~20200221.21+debian9~1.gbp29416a] php7.4/unknown 7.4.16-1+0~20210305.42+debian9~1.gbpbbe65e all [upgradable from: 7.4.3-4+0~20200224.14+debian9~1.gbp0d6014] php7.4-cli/unknown 7.4.16-1+0~20210305.42+debian9~1.gbpbbe65e amd64 [upgradable from: 7.4.3-4+0~20200224.14+debian9~1.gbp0d6014] php7.4-common/unknown 7.4.16-1+0~20210305.42+debian9~1.gbpbbe65e amd64 [upgradable from: 7.4.3-4+0~20200224.14+debian9~1.gbp0d6014] php7.4-curl/unknown 7.4.16-1+0~20210305.42+debian9~1.gbpbbe65e amd64 [upgradable from: 7.4.3-4+0~20200224.14+debian9~1.gbp0d6014] php7.4-gd/unknown 7.4.16-1+0~20210305.42+debian9~1.gbpbbe65e amd64 [upgradable from: 7.4.3-4+0~20200224.14+debian9~1.gbp0d6014] php7.4-intl/unknown 7.4.16-1+0~20210305.42+debian9~1.gbpbbe65e amd64 [upgradable from: 7.4.3-4+0~20200224.14+debian9~1.gbp0d6014] php7.4-json/unknown 7.4.16-1+0~20210305.42+debian9~1.gbpbbe65e amd64 [upgradable from: 7.4.3-4+0~20200224.14+debian9~1.gbp0d6014] php7.4-mbstring/unknown 7.4.16-1+0~20210305.42+debian9~1.gbpbbe65e amd64 [upgradable from: 7.4.3-4+0~20200224.14+debian9~1.gbp0d6014] php7.4-mysql/unknown 7.4.16-1+0~20210305.42+debian9~1.gbpbbe65e amd64 [upgradable from: 7.4.3-4+0~20200224.14+debian9~1.gbp0d6014] php7.4-opcache/unknown 7.4.16-1+0~20210305.42+debian9~1.gbpbbe65e amd64 [upgradable from: 7.4.3-4+0~20200224.14+debian9~1.gbp0d6014] php7.4-readline/unknown 7.4.16-1+0~20210305.42+debian9~1.gbpbbe65e amd64 [upgradable from: 7.4.3-4+0~20200224.14+debian9~1.gbp0d6014] php7.4-soap/unknown 7.4.16-1+0~20210305.42+debian9~1.gbpbbe65e amd64 [upgradable from: 7.4.3-4+0~20200224.14+debian9~1.gbp0d6014] php7.4-xml/unknown 7.4.16-1+0~20210305.42+debian9~1.gbpbbe65e amd64 [upgradable from: 7.4.3-4+0~20200224.14+debian9~1.gbp0d6014] php7.4-zip/unknown 7.4.16-1+0~20210305.42+debian9~1.gbpbbe65e amd64 [upgradable from: 7.4.3-4+0~20200224.14+debian9~1.gbp0d6014]
Night before:
apt autoremove
... removed libasound2 libasound2-data libjsoncpp1 libstartup-notification0 libxcb-util0
Day of:
apt install php7.4
... this only installed one thing.
apt install php
... did libapache2-mod-php8.0 php8.0 php8.0-cli php8.0-common php8.0-opcache php8.0-readline
But that still left a big list. So then libapache2-mod-php libapache2-mod-php7.4 ... which did a huge batch php-common php-gd php-mysql
Then re-apply local mods to /etc/php/7.4/apache2/php.ini
... so while we're on a roll, do
apt remove python2.7 python2.7-minimal apt install tzdata screen python3.5 postfix service postfix reload apt install passwd bind9 login postfix-sqlite python3-certbot certbot
... check new v of /etc/postfix/makedefs.out
apt autoremove
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-19 10:37 EDT Nmap scan report for bonmot.ca (5.39.78.158) Host is up (0.10s latency). rDNS record for 5.39.78.158: mercury.bonmot.ca PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0) | vulners: | cpe:/a:openbsd:openssh:7.4p1: | EXPLOITPACK:98FE96309F9524B8C84C508837551A19 5.8 https://vulners.com/exploitpack/EXPLOITPACK:98FE96309F9524B8C84C508837551A19 *EXPLOIT* | EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 5.8 https://vulners.com/exploitpack/EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 *EXPLOIT* | EDB-ID:46516 5.8 https://vulners.com/exploitdb/EDB-ID:46516 *EXPLOIT* | CVE-2019-6111 5.8 https://vulners.com/cve/CVE-2019-6111 | SSH_ENUM 5.0 https://vulners.com/canvas/SSH_ENUM *EXPLOIT* | PACKETSTORM:150621 5.0 https://vulners.com/packetstorm/PACKETSTORM:150621 *EXPLOIT* | MSF:AUXILIARY/SCANNER/SSH/SSH_ENUMUSERS 5.0 https://vulners.com/metasploit/MSF:AUXILIARY/SCANNER/SSH/SSH_ENUMUSERS *EXPLOIT* | EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0 5.0 https://vulners.com/exploitpack/EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0 *EXPLOIT* | EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283 5.0 https://vulners.com/exploitpack/EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283 *EXPLOIT* | EDB-ID:45939 5.0 https://vulners.com/exploitdb/EDB-ID:45939 *EXPLOIT* | CVE-2018-15919 5.0 https://vulners.com/cve/CVE-2018-15919 | CVE-2018-15473 5.0 https://vulners.com/cve/CVE-2018-15473 | CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906 | 1337DAY-ID-31730 5.0 https://vulners.com/zdt/1337DAY-ID-31730 *EXPLOIT* | EDB-ID:45233 4.6 https://vulners.com/exploitdb/EDB-ID:45233 *EXPLOIT* | CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145 | CVE-2019-6110 4.0 https://vulners.com/cve/CVE-2019-6110 | CVE-2019-6109 4.0 https://vulners.com/cve/CVE-2019-6109 | CVE-2018-20685 2.6 https://vulners.com/cve/CVE-2018-20685 | PACKETSTORM:151227 0.0 https://vulners.com/packetstorm/PACKETSTORM:151227 *EXPLOIT* | EDB-ID:46193 0.0 https://vulners.com/exploitdb/EDB-ID:46193 *EXPLOIT* | 1337DAY-ID-32009 0.0 https://vulners.com/zdt/1337DAY-ID-32009 *EXPLOIT* |_ 1337DAY-ID-30937 0.0 https://vulners.com/zdt/1337DAY-ID-30937 *EXPLOIT* 25/tcp filtered smtp 53/tcp open domain (unknown banner: get lost) | fingerprint-strings: | DNSVersionBindReqTCP: | version | bind |_ lost 80/tcp open http Apache httpd 2.4.25 |_http-server-header: Apache/2.4.25 (Debian) | vulners: | cpe:/a:apache:http_server:2.4.25: | CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679 | CVE-2017-7668 7.5 https://vulners.com/cve/CVE-2017-7668 | CVE-2017-3169 7.5 https://vulners.com/cve/CVE-2017-3169 | CVE-2017-3167 7.5 https://vulners.com/cve/CVE-2017-3167 | EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB 7.2 https://vulners.com/exploitpack/EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB *EXPLOIT* | CVE-2019-0211 7.2 https://vulners.com/cve/CVE-2019-0211 | 1337DAY-ID-32502 7.2 https://vulners.com/zdt/1337DAY-ID-32502 *EXPLOIT* | CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312 | CVE-2017-15715 6.8 https://vulners.com/cve/CVE-2017-15715 | CVE-2019-10082 6.4 https://vulners.com/cve/CVE-2019-10082 | CVE-2017-9788 6.4 https://vulners.com/cve/CVE-2017-9788 | CVE-2019-0217 6.0 https://vulners.com/cve/CVE-2019-0217 | EDB-ID:47689 5.8 https://vulners.com/exploitdb/EDB-ID:47689 *EXPLOIT* | CVE-2020-1927 5.8 https://vulners.com/cve/CVE-2020-1927 | CVE-2019-10098 5.8 https://vulners.com/cve/CVE-2019-10098 | 1337DAY-ID-33577 5.8 https://vulners.com/zdt/1337DAY-ID-33577 *EXPLOIT* | SSV:96537 5.0 https://vulners.com/seebug/SSV:96537 *EXPLOIT* | MSF:AUXILIARY/SCANNER/HTTP/APACHE_OPTIONSBLEED 5.0 https://vulners.com/metasploit/MSF:AUXILIARY/SCANNER/HTTP/APACHE_OPTIONSBLEED *EXPLOIT* | EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D 5.0 https://vulners.com/exploitpack/EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D *EXPLOIT* | CVE-2020-9490 5.0 https://vulners.com/cve/CVE-2020-9490 | CVE-2020-1934 5.0 https://vulners.com/cve/CVE-2020-1934 | CVE-2019-10081 5.0 https://vulners.com/cve/CVE-2019-10081 | CVE-2019-0220 5.0 https://vulners.com/cve/CVE-2019-0220 | CVE-2019-0196 5.0 https://vulners.com/cve/CVE-2019-0196 | CVE-2018-17199 5.0 https://vulners.com/cve/CVE-2018-17199 | CVE-2018-17189 5.0 https://vulners.com/cve/CVE-2018-17189 | CVE-2018-1333 5.0 https://vulners.com/cve/CVE-2018-1333 | CVE-2018-1303 5.0 https://vulners.com/cve/CVE-2018-1303 | CVE-2017-9798 5.0 https://vulners.com/cve/CVE-2017-9798 | CVE-2017-7659 5.0 https://vulners.com/cve/CVE-2017-7659 | CVE-2017-15710 5.0 https://vulners.com/cve/CVE-2017-15710 | 1337DAY-ID-28573 5.0 https://vulners.com/zdt/1337DAY-ID-28573 *EXPLOIT* | CVE-2019-0197 4.9 https://vulners.com/cve/CVE-2019-0197 | EDB-ID:47688 4.3 https://vulners.com/exploitdb/EDB-ID:47688 *EXPLOIT* | CVE-2020-11993 4.3 https://vulners.com/cve/CVE-2020-11993 | CVE-2019-10092 4.3 https://vulners.com/cve/CVE-2019-10092 | CVE-2018-1302 4.3 https://vulners.com/cve/CVE-2018-1302 | CVE-2018-1301 4.3 https://vulners.com/cve/CVE-2018-1301 | CVE-2018-11763 4.3 https://vulners.com/cve/CVE-2018-11763 | 1337DAY-ID-33575 4.3 https://vulners.com/zdt/1337DAY-ID-33575 *EXPLOIT* | CVE-2018-1283 3.5 https://vulners.com/cve/CVE-2018-1283 | PACKETSTORM:152441 0.0 https://vulners.com/packetstorm/PACKETSTORM:152441 *EXPLOIT* | EDB-ID:46676 0.0 https://vulners.com/exploitdb/EDB-ID:46676 *EXPLOIT* | EDB-ID:42745 0.0 https://vulners.com/exploitdb/EDB-ID:42745 *EXPLOIT* | 1337DAY-ID-663 0.0 https://vulners.com/zdt/1337DAY-ID-663 *EXPLOIT* | 1337DAY-ID-601 0.0 https://vulners.com/zdt/1337DAY-ID-601 *EXPLOIT* | 1337DAY-ID-4533 0.0 https://vulners.com/zdt/1337DAY-ID-4533 *EXPLOIT* | 1337DAY-ID-3109 0.0 https://vulners.com/zdt/1337DAY-ID-3109 *EXPLOIT* |_ 1337DAY-ID-2237 0.0 https://vulners.com/zdt/1337DAY-ID-2237 *EXPLOIT* 110/tcp open pop3 Dovecot pop3d 143/tcp open imap Dovecot imapd 416/tcp closed silverplatter 443/tcp open ssl/ssl Apache httpd (SSL-only mode) |_http-server-header: Apache/2.4.25 (Debian) 587/tcp open smtp Postfix smtpd 993/tcp open ssl/imap Dovecot imapd 995/tcp open ssl/pop3 Dovecot pop3d 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.91%I=7%D=3/19%Time=6054B739%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,43,"\0A\0\x06\x85\0\0\x01\0\x01\0\x01\0\0\x07version\x SF:04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\t\x08get\x20lost\xc0 SF:\x0c\0\x02\0\x03\0\0\0\0\0\x02\xc0\x0c"); Service Info: Hosts: bonmot.ca, mercury.bonmot.ca; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.43 seconds