Section 8.10. Keeping Up with Security

8.10. Keeping Up with Security

Linux distributions share their news relating to security issues in different ways. We'll examine how you can learn about security updates for the major distributions covered by this book: Fedora Core, Red Hat Enterprise Linux, SUSE, and Debian.

Linux security announcements are often publicized through major Linux news sites, such as http://www.linuxtoday.com and http://www.linux.org/news. However, they may not get all security announcements, and you may miss security issues in the clutter of other articles about Linux. The best option is to go to the source; normally, the group behind the distribution lists all updates related to the packages they've released somewhere on their web site. It can help you make a judgment about which security updates are most important for you.

In many cases, you can add a running list of security updates as a Rich Site Summary (RSS) feed to your Firefox browser, which is described in "Firefox Isn't Working as It Should" in Chapter 3.

If, in fact, you're reluctant to upgrade specific packages for every last security update, you can exclude those packages from upgrades with the yum --exclude switch or the /etc/apt/preferences file. I describe how these options work earlier in this chapter.

8.10.1. Fedora Core

Appropriately enough for Fedora's market and open source nature, Fedora Core updatesincluding those associated with securityare maintained in a Fedora News blog at http://fedoranews.org/blog/. Updates are added by its volunteer writers.

The Fedora News blog includes updates related to Fedora Legacy projects. As currently defined, that includes Fedora releases that are more than one year old, as well as some updates related to Red Hat Linux 9 and older releases.

As of this writing, security updates associated with Fedora Core 1 and 2, prior to November 8, 2004, are archived at http://fedoranews.org/updates. As Fedora Core releases advance, expect to see security updates for more releases here.

Security updates for Red Hat Linux 7.2-9 may be available from third parties. One option is the Progeny Transition Service, which may still offer support in 2006. For the latest information, see http://transition.progeny.com.

Alternatively, you may be able to find some updates through the Red Hat mailing lists (http://www.redhat.com/mailman/listinfo). Security announcements for Red Hat Linux 9 are available through May 2004.

8.10.2. Red Hat Enterprise Linux 3/4

If you have an official subscription to Red Hat Enterprise Linux 3/4, Red Hat will send security and bug fix announcements to the email address associated with your account. You should be able to update your systems using the up2date utility described earlier.

Red Hat copies many of its security announcements to the public Enterprise Watch mailing list, available at https://www.redhat.com/mailman/listinfo/enterprise-watch-list.

8.10.3. SUSE

SUSE maintains its security updates differently. Its security updates generally apply to all active SUSE distributions. Many of the security updates are listed in "Summary Reports" available at http://www.novell.com/linux/security/securitysupport.html.

There is also a SUSE security-related mailing list, suse-security-announce. More information is available at http://www.novell.com/linux/security/securitysupport.html. You should be able to update your systems using the YaST Online Update utility described in "Find the Right Update Repository," earlier in this chapter.

8.10.4. Debian Security Updates

The Debian security team has focused its efforts on the stable distribution. You can find more information on Debian security advisories and updates at http://www.debian.org/security/. You can get email updates by subscribing to the debian-security and debian-security-announce mailing lists at http://lists.debian.org.

You'll need to include the Debian security repositories in your /etc/apt/sources.list file. As of this writing, the security repositories for Debian Sarge and Etch are available at:

 deb http://security.debian.org/ sarge/updates main contrib non-free deb http://security.debian.org/ testing/updates main 

Once you're ready, you can access the latest security updates with the appropriate apt-get update command.

Debian does not support mirrors for security updates at this time and does not support security updates to the unstable (Sid) release. It addresses security issues to Sid with new packages in the regular repositories.

8.10.5. Other Packages

If you've installed packages from sources other than those maintained for your distribution, you'll need to go to the source for security updates. For example, SUSE can't provide security updates for CrossOver Office. Generally, you should subscribe to any security lists associated with any nondistribution-based package that you install.