Obtaining security updates

Overview

As vulnerabilities and other instabilities are discovered in the software you have installed on your system, you will need to obtain and install updated versions of this software in order to avoid unnecessarily risking the integrity of your system.

Software on your system will usually fall into two categories: software that is managed as part of your distribution, and software that you have installed from source or that is otherwise not managed as part of your distribution. As a result, multiple methods may be required to keep your system up to date, depending on the software you have installed.

Non-Distribution Software

Not all packages you may be able to install through your systems's package management facilities are necessarily a part of your distribution.

[more on software installed from source]

[more on custom patches]

Distribution Specific

Your distribution may provide a distribution-specific means of obtaining security updates and notifications. Most distributions only provide security updates and notifications for software distributed as a part of the distribution. In most cases you can use the package manager of your distribution to obtain the distribution's latest security fixes.

Fortunately, most distributions include a sufficiently broad set of officiall supported software that you will have available distribution-specific security update facilities at least for base system software and critical services.

Debian

The central source for Debian security information is http://www.debian.org/security/. This site includes recent Debian security alerts, as well as links to additional information about Debian security procedures, and resources for securing your Debian system.

In order to obtain security updates for your Debian stable system, add the following line to /etc/apt/sources.list:

deb http://security.debian.org/ sarge/updates main contrib non-free

You may safely remove contrib and non-free if you do not use non-DFSG-free software.

The Testing distribution now has security updates. In order to obtain security updates for your Debian testing system, add the following to /etc/apt/sources.list:

deb http://secure-testing.debian.net/debian-security-updates/ etch/security-updates main contrib non-free

deb-src http://secure-testing.debian.net/debian-security-updates/ etch/security-updates main contrib non-free

For more information on Testing security visit: http://secure-testing.debian.net/

To be promptly alerted of the latest Debian security advisories you should subscribe to the debian-security-announce mailing list (http://lists.debian.org/debian-security-announce/).

While Debian the testing and unstable distributions are not officially supported by the Debian security team, Debian security advisories generally indicate whether the vulnerability extends to the testing and unstable distributions, and if so, when to expect the vulnerability to be resolved.

To obtain updates for your packages from the testing and unstable distributions you should execute apt-get update followed by apt-get upgrade or apt-get dist-upgrade to update your system to fixed versions of any packages.

To find out whether a vulnerability has been fixed in the updated package, you can read the changelog for the package before upgrading by installing the package apt-listchanges, or by first locating the package in question through the Debian packages listing (http://www.debian.org/distrib/packages), and second selecting the "developer information" link on the package page.

To find out whether a vulnerability or instability exists in a package before installing it or upgrading to it, you can read a listing of critical bugs for a package at the time of upgrading or installing by installing the package apt-listbugs, or by first locating the package in question through the Debian packages listing (http://www.debian.org/distrib/packages), and second selecting the "bug reports" link on the package page to access the bug tracking information for the package in question

Note that while Debian security advisories for the stable distribution may include information about the vulnerability for the testing or unstable distributions, security advisories are not generally issued for either the testing or unstable distributions alone. As a result of this, you should be aware that vulnerabilities do existing and are fixed in the testing and unstable distributions without a Debian security advisory ever being issued if the vulnerability does not also existing in the stable distribution, or if the package does not exist in the stable distribution.

Gentoo

To obtain the latest packages, including security updates, synchronize portage and update packages using the commands:

• emerge --sync
• emerge -auDv world

To perform security updates only, emerge gentoolkit and run glsa-check --fix new.

Mandrake

On Mandrake Linux, you should select the Software Update option from drakconf, or run MandrakeUpdate manually.

It will retrieve a list of ftp mirrors and select the one closest to you. After that you can browse the security updates available for your system and install them.

Redhat

On a recent RedHat system, just run up2date.

Slackware

Swaret users can [swaret users add something]

Or check out the Slackware Security Advisories (if you aren't on the mailing list) and follow the instructions - usually simply a matter of downloading the necessary packages and doing 'upgradepkg packagename'.

Suse

SuSE provides YOU (YaST Online Update) to update your system with both security updates and updated versions of programs (such as firefox) when they become available.

To access YOU, you can either open YaST and select "Online Update" from the software tab, or you can open SuSE Watcher. Using Watcher is usually easier because it runs as an applet, and is started for you.

OpenBSD

Check out the errata page OpenBSD Errata and also check out the low volume Security Announce and ports-security mailing lists from OpenBSD Mailing Lists

[more - differences for different versions?]