Updating images on GCE to address CVE-2014-0160
I just wanted to give a quick heads up. We have pushed new images on GCE which includes the latest version of openssl package (1.0.1e-2+deb7u6) which addresses CVE-2014-0160. The new images are named debian-7-wheezy-v20140408 and backports-debian-7-wheezy-v20140408.
Now that the images are out, one of the questions that this brings up is - should we have automatic upgrades turned on for security issues by default on Debian images running on GCE?
The unattended-upgrades package is configured to only do security updates by default, and for most users this would be a good thing to turn on. I suspect most users won't mind, and for the small set that do care about every update, it would be easy enough for them to turn it off.