Updating images on GCE to address CVE-2014-0160
- To: firstname.lastname@example.org
- Subject: Updating images on GCE to address CVE-2014-0160
- From: Himanshu Vasishth <email@example.com>
- Date: Wed, 9 Apr 2014 11:06:24 -0700
- Message-id: <CAOffbx98dN4uPicxWnaqHiBAebAgWUM8O6x5X0=wpUTSooP26g@mail.gmail.com>
I just wanted to give a quick heads up. We have pushed new images on GCE which includes the latest version of openssl package (1.0.1e-2+deb7u6) which addresses CVE-2014-0160. The new images are named debian-7-wheezy-v20140408 and backports-debian-7-wheezy-v20140408.
Now that the images are out, one of the questions that this brings up is - should we have automatic upgrades turned on for security issues by default on Debian images running on GCE?
The unattended-upgrades package is configured to only do security updates by default, and for most users this would be a good thing to turn on. I suspect most users won't mind, and for the small set that do care about every update, it would be easy enough for them to turn it off.