Description of procedures to track and apply security patches for the Operating System(s) in use on CAcert's critical servers, more specifically for Debian GNU/Linux, as currently used on CAcert's webdb server.

Tracking security patches

Security alerts and the availability of security patches are monitored by subscribing to the debian-security-announce mailing list. If necessary, all security advisories can also be consulted directly on the Debian Security Information web page. Note that many security advisories are not relevant for the webdb server, because it runs with a fairly minimal set of software packages.

On the running system, the availability of relevant security patches from the configured repositories can be determined by:

An automatic script /etc/cron.daily/apt-warn is used to perform this check daily and inform the system administrators by e-mail about the availability of relevant security patches.

Applying security patches

Relevant security patches should be applied at the earliest convenient moment. A log should be kept of the output of the patch process, and a notice should be mailed to the mailing list specifying the old and new version of each upgraded package. Thus the process is:

and e-mail the output of apt-show-versions -u to

In addition, when the patch modifies operating system components which are duplicated in the chroot environment under which the web server is running, the updated components need to be propagated to the web server's chroot environment (under /home/cacert).

Other notes


Some Random Notes to make this process more secure (unfortunatelly it also means more work) -- BerndEckenfels