[CentOS] Is this right? -- Centos 6 and RHEL 6 infrastrure for continuous update/upgrade

Sun Feb 10 08:37:47 UTC 2013
James Hogarth <james.hogarth at gmail.com>

> I would assume (and I know it's not good to do that!) that the updates
> and patches that are pushed out through the repos are something not to
> be ingored,....so why would the severity of one be that big an
> issue?....(and I'm just curious...not trying to start a war!..LoL!)
>

For a start there's threes categories: bug fixes, enhancements and security
fixes.

The first will cover things like typos in man pages or behaviour that is
not right but has no risk to the system.

The second adds something new to a package - tzdata is a good example here.

The third is security issues - these will generally fix one or more CVE
announcements.

Within that third category there are different levels of security issue
depending on the nature of the problem.

For example if something needs an interactive login as an unprivileged user
to cause a process (eg mysqld) to fail that could be low security risk
given the need to be on the system and only a denial of service to that one
subsystem and no data loss.

A higher category might be an unprivileged user being able to escalate
their privileges to obtain increased access to a system they shouldn't have
- there was a sudo exploit last year that would fall into this.

The most severe category of security issue would allow am unprivileged user
to remotely gain privileged access... This leads to full system compromises
and should always be patched asap - especially on public facing systems.

Sometimes it's possible to chain these things together... Fire example
there might be a way for an unprivileged user to run arbitrary code (think
a php big perhaps) which you could then chain to a local privilege
escalation to take full control of a system.

This is also why selinux is important to confine services to prevent them
from going out of their allowed domain and mitigating security issues as
and when they arise.

As an admin rather than just updating everything all the time it's best
practice to schedule updates and test them before major roll outs.
Depending on the severity of the issue it may be something you delay to a
standardised patching schedule (eg once a month update things) or treat as
an emergency an roll out much quicker.

Does that help explain things?