By Bri Hatch.
Summary: Keeping your machine up to date requires that you update your software. If your distro uses RPM packages, be sure you aren't accidentally installing new software when you upgrade.
The problem with any system is that your software is out of date the second you install it, and when security problems are found, you need to upgrade your software. Linux is great in that you don't need to reboot, you can upgrade your software on the fly.
Most Linux distributions maintain a web or FTP site that provides
updated RPMs for security or other critical bugs. Some even include
handy helpful programs to make it easier to identify older software
and automatically upgrade to the newest available version, for example
It's fairly trivial to mirror the updates section of your distro's website. For example I used to use the following to snag all the Red Hat 6.2 upgrade RPMs:
$ wget -m --no-parent ftp://ftp.valinux.com/pub/mirrors/redhat/redhat/updates/6.2/en/os/i386
The above command would download all the x86 updates. Run it nightly from cron, and you've always got a repository of updated packages. Now that you have them, it's time to upgrade. Say you are running Apache (who isn't) and there's an upgrade for it, you'd do the following to upgrade:
Now wouldn't it be tempting to just run
Instead of using
If you do want to run upgrades out of
 RPM stands for "Red Hat Package Manager", created by, unsurprisingly, Red Hat.
there are many front ends to
 In many cases, such as daemon programs, you need to restart your software, and this is likely not built into the post-upgrade functionality of the RPM. See the article Upgrade Process: Restarting vs Rebooting.
 Usually, when a package has a security problem, the bug is fixed in the exact same version of the software, rather than upgrading you to a new version of the software. Upgrading Apache-1.3.x to Apache-1.3.y could cause problems (perhaps some of your modules aren't available for the new version) so patches are 'backported' to the currently-available version when necessary. Because of this, you shouldn't need to change any of your configuration or setup in 95% of your upgrades.
Bri Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. He gets a lot of work done at Starbucks while waiting for his wife's car to get fixed. If only he had a second battery for his laptop... Bri can be reached at email@example.com.
Copyright Bri Hatch, 2003
This is the September 11, 2003 issue of the Linux Security: Tips, Tricks, and Hackery newsletter. If you wish to subscribe, visit http://lists.onsight.com/ or send email to Linux_Securityfirstname.lastname@example.org.