GNU Linux Debian – security-tracker.debian.org tracker status release stable – semi-manual system update method vs full automatic updates – apt can do https now: update /etc/apt/sources.list http -> https

26.Jul.2021

CyberSec / ITSec / Sicherheit / Security / SPAM, Debian

timely updates for found security problems are critical.

semi-manual system update method:

there shall be a /script/update.sh which shall be run, by the admin every week or every month on a fixed date manually:

incremental backup (or even better snapshot) before update
perform the update
perform a reboot (as this is usually needed to make changes such as new kernels active)

crontab:

lsb_release -a; # tested
Description: Debian GNU/Linux 11 (bullseye)

su - root
crontab -e; # will run the update process every night at 3:00 am
0 3 * * * /scripts/update.sh

update script:

vim /scripts/update.sh
#!/bin/bash

echo "=== attempting automatic daily update on $(date '+%Y-%m-%d-%H:%M:%S') ===" | tee -a /scripts/update.sh.log

apt update 2>&1 | tee -a /scripts/update.sh.log
apt -y upgrade 2>&1 | tee -a /scripts/update.sh.log

echo "=== automatically removing un-needed packages (and old kernels) ==="
# keeping too many old kernel versions might fill up boot partition
apt -y autoremove | tee -a /scripts/update.sh.log
echo "=== fine ===" | tee -a /scripts/update.sh.log
echo "" | tee -a /scripts/update.sh.log

automatic updates?

CAN be also a good solution, if:

the system is software wise very minimalistic (dedicated to one task only)
security of the update-servers need to be maximum strong
it is probably wise to auto-update only do minor version of Debian distributions (10.8 -> 10.9)
- automatic upgrade between major versions (Debian 10 -> 11) will often work (thanks for that good work) but are risky
- thus: definitely BACKUP (OR BETTER SNAPSHOT) MAJOR RELEASE UPGRADES! (DIST UPGRADE!)
  - also dist upgrades usually will prompt the user to review and accept or discard changes to system config files

if those requirements are not met, go with semi-manual method above.

Also: it is wise to a have a non-production test-system plus a list of test-cases that the test-system needs to meet, before applying updates to production-systems.

https://security-tracker.debian.org/tracker/status/release/stable

“Debian takes security very seriously.”

“We handle all security problems brought to our attention and ensure that they are corrected within a reasonable timeframe.”
“Many advisories are coordinated with other free software vendors and are published the same day a vulnerability is made public”
“and we also have a Security Audit team that reviews the archive looking for new or unfixed security bugs.”
“Experience has shown that security through obscurity does not work.”
“Public disclosure allows for more rapid and better solutions to security problems.”
“In that vein, this page addresses Debian’s status with respect to various known security holes, which could potentially affect Debian.”
“Debian also participates in security standardization efforts:
- the Debian Security Advisories are CVE-Compatible (review the cross references)
- Debian is represented in the Board of the Open Vulnerability Assessment Language project.

src: https://www.debian.org/security/

Keeping your Debian system secure

“In order to receive the latest Debian security advisories, subscribe to the debian-security-announce mailing list.”

You can use apt to easily get the latest security updates. This requires a line such as

deb http://security.debian.org/debian-security buster/updates main contrib non-free

this is the default setting for /etc/apt/sources.list in
hostnamectl; # tested on
 Operating System: Debian GNU/Linux 10 (buster)
Kernel: Linux 4.19.0-17-amd64
Architecture: x86-64

# how to update

su - root
apt-get update && apt-get upgrade

to download and apply the pending updates. The security archive is signed with the normal Debian archive signing keys.

For more information about security issues in Debian, please refer to the Security Team FAQ and a manual called Securing Debian.

apt-transport-https obsolete as apt can do https

requirement: /etc/apt/sources.list http -> https

no need to install apt-transport-https manually anymore, as it is “a dummy transitional package – https support has been moved into the apt package in 1.5. It can be safely removed”

IF (!!!) https is used in /etc/apt/sources.list (src)

which can be search & replaced like this in vim:

su - root
vim /etc/apt/sources.list
:%s/http:/https:/g

apt show -a apt-transport-https
Package: apt-transport-https
Version: 1.8.2.3
Priority: optional
Section: oldlibs
Source: apt
Maintainer: APT Development Team <deity@lists.debian.org>
Installed-Size: 156 kB
Depends: apt (>= 1.5~alpha4)
Tag: role::shared-lib
Download-Size: 149 kB
APT-Manual-Installed: yes
APT-Sources: http://ftp.halifax.rwth-aachen.de/debian buster/main amd64 Packages
Description: transitional package for https support
 This is a dummy transitional package - https support has been moved into
 the apt package in 1.5. It can be safely removed.

Package: apt-transport-https
Version: 1.8.2.2
Priority: optional
Section: admin
Source: apt
Maintainer: APT Development Team <deity ÄT lists DOTTTT debian DOTT org>
Installed-Size: 156 kB
Depends: apt (>= 1.5~alpha4)
Download-Size: 149 kB
APT-Sources: http://security.debian.org/debian-security buster/updates/main amd64 Packages
Description: transitional package for https support
 This is a dummy transitional package - https support has been moved into
 the apt package in 1.5. It can be safely removed.

admin