[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Updating images on GCE to address CVE-2014-0160

On 9 April 2014 23:14, Himanshu Vasishth <hvasishth@google.com> wrote:
Good point. It would certainly not be desirable of a long running process was restarted. We could definitely add a note to image description.

How about also adding a message to motd so that when users login they are made aware of the fact that automatic security updates are turned on and that users should review the settings if they are running long running processes? Let me know if motd is not the right mechanism for this and if there is a different way this should be done. I am still learning about various aspects of Debian.


On Wed, Apr 9, 2014 at 1:59 PM, Tomasz Rybak <tomasz.rybak@post.pl> wrote:
Dnia 2014-04-09, śro o godzinie 11:06 -0700, Himanshu Vasishth pisze:
> Hey everyone
>
>
> I just wanted to give a quick heads up. We have pushed new images on
> GCE which includes the latest version of openssl package (1.0.1e-2
> +deb7u6) which addresses CVE-2014-0160. The new images are named
> debian-7-wheezy-v20140408 and backports-debian-7-wheezy-v20140408.
>
>
> We have also provided instructions to users no how they can update
> their running instances
> at https://developers.google.com/compute/docs/security-bulletins.
>
>
> Now that the images are out, one of the questions that this brings up
> is - should we have automatic upgrades turned on for security issues
> by default on Debian images running on GCE?
>
>
> The unattended-upgrades package is configured to only do security
> updates by default, and for most users this would be a good thing to
> turn on. I suspect most users won't mind, and for the small set that
> do care about every update, it would be easy enough for them to turn
> it off.

On one hand having security fixes applied is a Good Thing.
On the other hand - if I would start some long-running process
during which something (here apt) would restart my database,
it would not be nice.

But adding some note (to README, or image description) about
such autoupdate should fix the problem;  e.g. Amazon shows times
when it can update PostgreSQL and such a knowledge allows
for planning longer jobs.

Best regards.

--
Tomasz Rybak <tomasz.rybak@post.pl> GPG/PGP key ID: 2AD5 9860
Fingerprint A481 824E 7DD3 9C0E C40A  488E C654 FB33 2AD5 9860
http://member.acm.org/~tomaszrybak



> Now that the images are out, one of the questions that this brings up is - should we have automatic upgrades turned on for security issues by default on Debian images running on GCE?

I think that is a really bad idea (sorry for being blunt), not only because of what Tomasz mentioned but also because you may have customers who have closed down all incoming connections on their machines and only allow outgoing ones (configuration through puppet/chef etc., work being done by fetching from a queue etc.). Those machines will pretty much never need any updates.
I think the unix principle of least surprise applies here: When users boot up a vanilla official debian image, do they expect unattended security upgrades to be turned on by default?
The debian installer doesn't do that and neither do most ready to go debian installations I have encountered.
Just my two cents :-)

Anders
Reply to: