Security update

From Wikitech
Jump to navigation Jump to search

When you notice a security report on one of the following lists you should first check debmonitor to see if we are affected and if we are follow the process here

* debian-security-announce
* debian-security-announce
* ubuntu-security-announce

bla

Phabricator ticket

[] Check for reported regressions
[] Review: check the actually fix patches to ensure that the are sound
[] Review: Ensure correct patches have been backported and are applied e.g. debdiff
[] check reverse dependencies services which may need restarts i.e. `debdeploy query_deps --packages libgd3 -s all`
[] build debdeploy spec file i.e. `generate-debdeploy-spec`
[] confirm restarts with debdeploy
[] deploy to canaries
[] deploy to fleet

Check for reported regressions

First we need to make sure that no regressions have been introduced in the new packed. Check the Debian Tracker and review any bugs which have been raised since the security release.

Review: Review the fix

You should review all vulnerabilities reported to ensure you have a good understanding of the risk profile theses updates resolve. You should also check that the fix looks reasonable.

Review: Review the package

We should check the package to ensure that no bugs have been introduced by the update.

Specifically we need to check:

* all patches included match closely what has been produced upstream
* all patches are applied i.e. debian/patches/series

To do this you need to use debdiff to compare the newsource package with the one installed. You should be able to get the new and old source packages from boron (or the current build server).

$ apt-get source $package=$oldversion
$ apt-get source $package=$newversion
$ debdiff $package$oldversion.dsc $package$newversion.dsc

if you are unable to get the source from apt then download it from snapshot

Build a spec file and deploy

WARNING: please try to avoid making deployments on a Friday!

To build a spec file and deploy consult the Software deployments page. You should deploy the update first to a canary node. If the security update is not critical its good practice to allow the system to run for some time to try and tickle any bugs, how much time is a call the engineer should make based on the severity of the security issue. if the package being installed requires you to restart a service then ensure you consulted the Service restarts page to ensure you correctly [de]pool the service before restarting.

Once you are happy to proceed roll the update out to all systems, it is advisable to do this in batches and again ensure that safely restart and services which require restarting.