Re: Updating images on GCE to address CVE-2014-0160
- To: Himanshu Vasishth <email@example.com>
- Cc: firstname.lastname@example.org
- Subject: Re: Updating images on GCE to address CVE-2014-0160
- From: Tomasz Rybak <email@example.com>
- Date: Wed, 09 Apr 2014 22:59:53 +0200
- Message-id: <1397077193.3759.8.camel@saruman>
- In-reply-to: <CAOffbx98dN4uPicxWnaqHiBAebAgWUM8O6x5X0=wpUTSooP26g@mail.gmail.com>
- References: <CAOffbx98dN4uPicxWnaqHiBAebAgWUM8O6x5X0=wpUTSooP26g@mail.gmail.com>
Dnia 2014-04-09, śro o godzinie 11:06 -0700, Himanshu Vasishth pisze:
> Hey everyone
> I just wanted to give a quick heads up. We have pushed new images on
> GCE which includes the latest version of openssl package (1.0.1e-2
> +deb7u6) which addresses CVE-2014-0160. The new images are named
> debian-7-wheezy-v20140408 and backports-debian-7-wheezy-v20140408.
> We have also provided instructions to users no how they can update
> their running instances
> at https://developers.google.com/compute/docs/security-bulletins.
> Now that the images are out, one of the questions that this brings up
> is - should we have automatic upgrades turned on for security issues
> by default on Debian images running on GCE?
> The unattended-upgrades package is configured to only do security
> updates by default, and for most users this would be a good thing to
> turn on. I suspect most users won't mind, and for the small set that
> do care about every update, it would be easy enough for them to turn
> it off.
On one hand having security fixes applied is a Good Thing.
On the other hand - if I would start some long-running process
during which something (here apt) would restart my database,
it would not be nice.
But adding some note (to README, or image description) about
such autoupdate should fix the problem; e.g. Amazon shows times
when it can update PostgreSQL and such a knowledge allows
for planning longer jobs.
Tomasz Rybak <firstname.lastname@example.org> GPG/PGP key ID: 2AD5 9860
Fingerprint A481 824E 7DD3 9C0E C40A 488E C654 FB33 2AD5 9860