[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Efficient way to keep track of security updates

Hi Paul,

Thanks for the tips, I think the links you sent me and aptitude fixed my problem.
I have one more question: checkrestart lists the processes that need to be restarted so I can do that without a reboot but, except a kernel upgrade, are there any other cases when a reboot is still required so that the kernel uses the new versions? For example with eglibc I restarted the affected services. Do I still have to reboot?

2015-01-28 10:59 GMT+02:00 Paul Wise <pabs@debian.org>:
On Wed, Jan 28, 2015 at 4:06 PM, Tiberiu Popescu wrote:

> Yesterday a security upgrade for eglibc was announced and my question is how
> do you find if this applies to your server or not and for which packages
> (it's just an example, could be something else then eglibc)?

Every Debian machine uses eglibc/glibc so this applies to every server
running Debian in some way.

To find out if Debian is affected by a particular security issue and
if it is fixed, look up the CVE on the security tracker:

https://security-tracker.debian.org/tracker/CVE-2015-0235

To find out if a particular source package is affected by any security
issues, look up the package in the security tracker:

https://security-tracker.debian.org/tracker/source-package/eglibc

To get advanced warning of security issues on your system before they
are fixed, install the debsecan package. It has a whitelist function
for issues that only affect some usage situations.

> Searching the list of installed packages for the exact name returns nothing.
> Searching by a simpler name like libc returns this:

eglibc/glibc are source package names, not binary package names. A
quick way of getting the installed binary packages for a particular
source package is to use aptitude or visit the packages website:

aptitude search '~i?source-package(^eglibc$)'
https://packages.debian.org/src:eglibc

> receiving tens of emails regarding a certain security upgrade is something I would avoid.

You could just subscribe to debian-security-announce:

https://lists.debian.org/debian-security-announce/

You could install and configure the unattended-upgrades package
instead of using apticron. Please note that you still need to do
reboots after Linux kernel updates and relevant restart processes
after library upgrades. You can use needrestart (jessie and later) or
checkrestart (from debian-goodies) to find out which processes to
restart.

--
bye,
pabs

https://wiki.debian.org/PaulWise


--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] CAKTje6F=6X9k+9R3vKBApFpf6CUppHoFQvF_HsM23TNn_7HeSw@mail.gmail.com" target="_blank">https://lists.debian.org/[🔎] CAKTje6F=6X9k+9R3vKBApFpf6CUppHoFQvF_HsM23TNn_7HeSw@mail.gmail.com




--
Tiberiu
Reply to: