The scary glibc vulnerability
Perhaps you’ve heard the news about the new and scary glibc vulnerability. If you haven’t, you should definitely read up on it. Now if you’re running a server, it’s important to always check for and install security updates, especially in cases like these.
Unfortunately, there are quite a few servers out there that don’t. Off course, keeping everything up to date can take quite a bit off time and takes quite some discipline. There was a time where I’d login to my server everyday to check for updates, so I know what I’m talking about. I grew tired of it very quick, but I didn’t want my server to be insecure either. Luckely, there’s an easy fix if you’re running Debian.
Automatic security updates on Debian
Since there are tutorials for setting up Unattended Upgrades elsewhere I’m not going to repeat that info here. It’s easy to modify this so only security updates will be installed. But in this tutorial, we won’t simply stop here, we’ll be going a bit deeper.
Setting up automatic security updates is a real good start, but we’re not quite there yet. That’s because old processes and libraries that are still vulnerable can continue to run in memory. Now one option is to simply reboot after eacht security update. It works, but it’s not exactly subtle. A better way is to use annother Debian goodie, Checkrestart.