Updating images on GCE to address CVE-2014-0160

[Himanshu Vasishth <hvasishth@google.com>]

Hey everyone

I just wanted to give a quick heads up. We have pushed new images on GCE which includes the latest version of openssl package (1.0.1e-2+deb7u6) which addresses CVE-2014-0160. The new images are named debian-7-wheezy-v20140408 and backports-debian-7-wheezy-v20140408.

We have also provided instructions to users no how they can update their running instances at https://developers.google.com/compute/docs/security-bulletins.

Now that the images are out, one of the questions that this brings up is - should we have automatic upgrades turned on for security issues by default on Debian images running on GCE?

The unattended-upgrades package is configured to only do security updates by default, and for most users this would be a good thing to turn on. I suspect most users won't mind, and for the small set that do care about every update, it would be easy enough for them to turn it off.

Thoughts?

Thanks

Himanshu