[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Updating images on GCE to address CVE-2014-0160



Being able to specify to *Not* restart a service would definitely make things a lot better. For now I think that adding a clear motd warning could be a good middle ground which lets us provide a safe default for all users, while at the same time making it clear to advanced users what they need to do to turn it off.

However, given that there is no consensus on this, I am wondering what's the best way to move forward on this.


On Thu, Apr 10, 2014 at 12:55 PM, Matthew Babcock <MBabcock@aandrsecurity.com> wrote:
I was going to say this yesterday...

In response to the issue of unexpected service restarts after a patch is
installed - like the mysql example -  why not simply *NOT* restart any
service after the patch is installed?

There are numerous ways to deliver a message - such as "Application of
$PATCH on $HOST requires service restarts, please restart them A.S.A.P."
- to an administrator and/or contact, no limitations there, send an
SMS...  It is much less than 140-160 characters SMS is limited to.

Thats how i do it.

Any reboot, cronjob, logrotate config, *or anything else the
administrator put in place* may restart the service on its own, at which
time the patch is then applied.



At least provide a mechanism for this to be controlled. Perhaps
something in /etc/apt/apt.conf.d.

Debian is Free as in Freedom, right? I think we should be free to enable
such a configuration, does this not apply?


Regards,
Matthew


On Thu, 2014-04-10 at 12:23 -0700, Jose R R wrote:
> On Thu, Apr 10, 2014 at 11:24 AM, Himanshu Vasishth
> <hvasishth@google.com> wrote:
> >
> > I agree that there are scenarios where automatic updates are not the right thing. I also understand that Debian users may already be familiar with the fact that Debian doesn't have automatic updates turned on.
> >
> > However, I don't think it is fair to assume that users of Debian on GCE fall in the category
>
> That is highly speculative...
>
> > of folks who are already familiar with Debia and thus expect things to work a specific way. For starters, the quick- > start guide on GCE uses Debian image. Also, the first two images in the UI dropdown that lets users select          > images are Debian images. As a result it is likely that a significant number of users are not familiar with Debian.
> >
> > There is no README for GCE images, so this is not something we can document there. As I said, I agree that automatic updates may not be the right thing for all users.
> >
> > The question I have is, if we turn on automatic security updates and add a warning in motd clearly pointing out that automatic security updates are turned on and that it may cause long running instances to restart at arbitrary times, would that be sufficient information for users who are running long running tasks to turn it off or would that not be sufficient?
> >
> >
> > On Wed, Apr 9, 2014 at 8:22 PM, olivier sallou <olivier.sallou@gmail.com> wrote:
> >>
> >>
> >>
> >>
> >> 2014-04-10 0:45 GMT+02:00 Anders Ingemann <anders@ingemann.de>:
> >>
> >>> On 9 April 2014 23:14, Himanshu Vasishth <hvasishth@google.com> wrote:
> >>>>
> >>>> Good point. It would certainly not be desirable of a long running process was restarted. We could definitely add a note to image description.
> >>>>
> >>>> How about also adding a message to motd so that when users login they are made aware of the fact that automatic security updates are turned on and that users should review the settings if they are running long running processes? Let me know if motd is not the right mechanism for this and if there is a different way this should be done. I am still learning about various aspects of Debian.
> >>>>
> >>>>
> >>>> On Wed, Apr 9, 2014 at 1:59 PM, Tomasz Rybak <tomasz.rybak@post.pl> wrote:
> >>>>>
> >>>>> Dnia 2014-04-09, śro o godzinie 11:06 -0700, Himanshu Vasishth pisze:
> >>>>> > Hey everyone
> >>>>> >
> >>>>> >
> >>>>> > I just wanted to give a quick heads up. We have pushed new images on
> >>>>> > GCE which includes the latest version of openssl package (1.0.1e-2
> >>>>> > +deb7u6) which addresses CVE-2014-0160. The new images are named
> >>>>> > debian-7-wheezy-v20140408 and backports-debian-7-wheezy-v20140408.
> >>>>> >
> >>>>> >
> >>>>> > We have also provided instructions to users no how they can update
> >>>>> > their running instances
> >>>>> > at https://developers.google.com/compute/docs/security-bulletins.
> >>>>> >
> >>>>> >
> >>>>> > Now that the images are out, one of the questions that this brings up
> >>>>> > is - should we have automatic upgrades turned on for security issues
> >>>>> > by default on Debian images running on GCE?
> >>>>> >
> >>>>> >
> >>>>> > The unattended-upgrades package is configured to only do security
> >>>>> > updates by default, and for most users this would be a good thing to
> >>>>> > turn on. I suspect most users won't mind, and for the small set that
> >>>>> > do care about every update, it would be easy enough for them to turn
> >>>>> > it off.
> >>>>>
> >>>>> On one hand having security fixes applied is a Good Thing.
> >>>>> On the other hand - if I would start some long-running process
> >>>>> during which something (here apt) would restart my database,
> >>>>> it would not be nice.
> >>>>>
> >>>>> But adding some note (to README, or image description) about
> >>>>> such autoupdate should fix the problem;  e.g. Amazon shows times
> >>>>> when it can update PostgreSQL and such a knowledge allows
> >>>>> for planning longer jobs.
> >>>>>
> >>>>> Best regards.
> >>>>>
> >>>>> --
> >>>>> Tomasz Rybak <tomasz.rybak@post.pl> GPG/PGP key ID: 2AD5 9860
> >>>>> Fingerprint A481 824E 7DD3 9C0E C40A  488E C654 FB33 2AD5 9860
> >>>>> http://member.acm.org/~tomaszrybak
> >>>>>
> >>>>
> >>>
> >>> > Now that the images are out, one of the questions that this brings up is - should we have automatic upgrades turned on for security issues by default on Debian images running on GCE?
> >>>
> >>> I think that is a really bad idea (sorry for being blunt), not only because of what Tomasz mentioned but also because you may have customers who have closed down all incoming connections on their machines and only allow outgoing ones (configuration through puppet/chef etc., work being done by fetching from a queue etc.). Those machines will pretty much never need any updates.
> >>> I think the unix principle of least surprise applies here: When users boot up a vanilla official debian image, do they expect unattended security upgrades to be turned on by default?
> >>> The debian installer doesn't do that and neither do most ready to go debian installations I have encountered.
> >>> Just my two cents :-)
> >>
> >>
> >> +1
> >> why not simply specify in the README that there is NO automatic security update and that if user wishes to do so , he can simply activate it. Image should not launch any unattended action by default.
> >>
> >> Olivier
> >>>
> >>>
> >>> Anders
> >>
> >>
> >>
> >>
> >> --
> >>
> >> gpg key id: 4096R/326D8438  (keyring.debian.org)
> >>
> >> Key fingerprint = 5FB4 6F83 D3B9 5204 6335  D26D 78DC 68DB 326D 8438
> >
> >
>
>
>
> --
> Jose R R
> http://www.metztli-it.com
> ---------------------------------------------------------------------------------------------
> NEW Apache OpenOffice 4.0.1! Download for GNU/Linux, Mac OS, Windows.
> ---------------------------------------------------------------------------------------------
> Daylight Saving Time in USA & Canada ends: Sunday, November 02, 2014
> ---------------------------------------------------------------------------------------------
>
>




Reply to: