chef - [chef] Re: Re: Re: Re: Shellshock patching with Chef

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Re: Re: Re: Shellshock patching with Chef

From: AJ Christensen < >
To: " " < >
Subject: [chef] Re: Re: Re: Re: Shellshock patching with Chef
Date: Tue, 30 Sep 2014 11:47:12 +1300

On Tue, Sep 30, 2014 at 11:39 AM, Brian Pitts
< >
wrote:
> Depending on your tolerance for automatic security upgrades, on ubuntu
> and debian you could use
> https://supermarket.getchef.com/cookbooks/unattended-upgrades

If you use unattended upgrades for Debian family be sure to schedule
automatic removal of old packages (or do it often) and be careful with
kernel upgrades as well!

--aj

>
> On Mon, Sep 29, 2014 at 5:32 PM, Morgan Blackthorne
> < >
>  wrote:
>> We have our own mirror for ubuntu, but we don't force the latest version. I
>> don't think we have RHEL or OL or Debian mirrors at the moment, though.
>>
>> Forcing the latest version might just be the simplest way to resolve it.
>>
>> --
>> ~*~ StormeRider ~*~
>>
>> "Every world needs its heroes [...] They inspire us to be better than we
>> are. And they protect from the darkness that's just around the corner."
>>
>> (from Smallville Season 6x1: "Zod")
>>
>> On why I hate the phrase "that's so lame"... http://bit.ly/Ps3uSS
>>
>> On Mon, Sep 29, 2014 at 3:26 PM, AJ Christensen
>> < >
>>  wrote:
>>>
>>> yo,
>>>
>>> On Tue, Sep 30, 2014 at 11:23 AM, Morgan Blackthorne
>>> < >
>>>  wrote:
>>> > I'm looking to see if there's a good way to help manage patching of
>>> > vulnerabilities with Chef. This Shellshock one seems to be a great
>>> > example
>>> > of why Chef would be a helpful tool for the job, since it's just a
>>> > package
>>> > in need of upgrading (bash).
>>> >
>>> > My question is, what's the best way in Chef to say "for this
>>> > distribution
>>> > and release, ensure that this package is at least at version X" without
>>> > potentially downgrading the package down the road? I want to set a
>>> > minimum
>>> > bar, but I don't wan't to permanently pin the version.
>>>
>>> I like pushing sec packages into a signed internal repository. Always
>>> roll to latest. Makes the chef code simple(r), especially for managing
>>> multiple edges.
>>>
>>> Some providers support pessimistic version specifications (~>). They
>>> may be of use.
>>>
>>> --aj
>>>
>>> >
>>> > Thoughts? Thanks!
>>> >
>>> > --
>>> > ~*~ StormeRider ~*~
>>> >
>>> > "Every world needs its heroes [...] They inspire us to be better than we
>>> > are. And they protect from the darkness that's just around the corner."
>>> >
>>> > (from Smallville Season 6x1: "Zod")
>>> >
>>> > On why I hate the phrase "that's so lame"... http://bit.ly/Ps3uSS
>>
>>
>
>
>
> --
> Brian Pitts
> Web Operations Engineer

[chef] Shellshock patching with Chef, Morgan Blackthorne, 09/29/2014
- [chef] Re: Shellshock patching with Chef, AJ Christensen, 09/29/2014
  - [chef] Re: Re: Shellshock patching with Chef, Morgan Blackthorne, 09/29/2014
    - [chef] Re: Re: Re: Shellshock patching with Chef, Brian Pitts, 09/29/2014
      - [chef] Re: Re: Re: Re: Shellshock patching with Chef, AJ Christensen, 09/29/2014
      - [chef] Re: Re: Re: Re: Shellshock patching with Chef, Morgan Blackthorne, 09/29/2014
        
        [chef] Re: Re: Re: Re: Re: Shellshock patching with Chef, Walter Dolce, 09/29/2014
        
        [chef] Re: Re: Re: Re: Re: Shellshock patching with Chef, David Giesberg, 09/30/2014
        
        [chef] Re: Re: Re: Re: Re: Re: Shellshock patching with Chef, Morgan Blackthorne, 09/30/2014