The subject says it all: How quickly do people apply security patches to their servers?

This could be scary

Im a few days most of the time. It depends what the security risk is, which changes how im notified.

Originally posted by davidb
This could be scary

Yes, it could be. There's an awful lot of servers which have security holes dating back over a year.

One thing I've been wondering about is how many of these servers are "orphaned" -- that is, how many of them are not being kept patched because they no longer have any administrator looking after them. I have a feeling that it might be quite a few; with all the job losses in the tech sector I'm sure that there are boxes hooked up to corporate networks which only the (since departed) network administrator knew about.

ya, I read some stories of people who have said how insecure some are, and people do nothing about it. Right now I have a friend who is really good at security looking at freevsd setup on my server. he has found a few buff overflows so far, Im just happy its him finding them first...

That depends on how serious the security hole is. In BIND remote root case, I upgraded immediately within five minutes of advisory which I saw on linuxtoday.com, I even shutdown it first before upgrading. In SSH UseLogin case, I didn't bother for months since I don't use that feature.

We normally do patches/hotfixes after about 2 days of the release and after they have been tested on our test servers (want to make sure they are stable and any side effects).

Usual secuirty patches are within a couple days.

If it's a major secuirty exploit, then it's done right away.

I apply important security updates as soon as they are released, but of course try them on a test machine first, where the test machine is running the exact same software as all of our servers.

I apply not so important ones and upgrade all subsystems on the last day of the month when new versions come out. If there isn't enough time to test them before the end of the month, they'll make it into the next months' updates.

Which sometimes sucks, because our scheduled maintenance is on the last day of every month. So on new years eve, I was doing the following upgrades:

Java J2SE 1.3.1-02
PHP 4.1.1
MySQL 3.23.47
OpenSSL 0.9.6c
OpenSSH 3.0.2p1
ProFTPD 1.2.4

But it goes rather fast, because I roll everything up into a tar ball from the test machine. And have any instructions documented step by step for that month's updates.

Upgrading squirrelmail today. It didnt' make it into last month's updates because it was release like the day before christmas, but I don't feel that web mail needs to wait until the end of the month as it shouldn't affect anything, so announced the upgrade with the monthly billing statements on the first. I'm excited about the new features, because I use the web based email a lot.

What also sucks, is when you've been testing PHP 4.1.0 for awhile, and all ready to upgrade the rest of the servers, and then 4.1.1 comes out a few days before the end of the month, so I don't get a chance to test it, but it claims to fix bugs in 4.1.0, so have to go with that instead, and make another tarball.

Still, open source is neat. Wouldn't have it any other way.

greetings,

We apply security patches to our test server first and if all goes well then apply them server wide - to all our production machines. Timeline is between 24 - 72 hours from the date the patch is made available.


elijaH :)