Updating the OS Packages of Your Server


Introduction

To keep your server secure and up to date, it is important to update the OS packages on your server. This guide explains how you can perform these updates, depending on what OS and Control Panel is used by your server. If you have questions about the update process, contact support@eapps.com. If you would like eApps to perform these updates for you, contact sales@eapps.com.

Note that for severe security issues, eApps may apply patches to your server, or provide specific instructions to you about what you need to do to mitigate the security issues.

CentOS (with or without ISPmanager control panel)

Generating the Repository Cache

First, fetch the latest list of packages from the configured repositories. If you are using ISPmanager, this will include the ISPsystem repository as well as the eApps repository. All commands need to be done as root.

# yum makecache

After the repository cache is generated, you can apply updates to a single package or to all installed packages.

Updating A Single Package

You can update a single package using the following syntax:

# yum update <package_name>

For example, to update the openssl package:

# yum update openssl

You may be interested in updating a single package if you want to mitigate a recently discovered vulnerability. In CentOS, security patches may be "backported" to a package without updating the major version number. This is important to keep in mind when scanning your server for PCI compliance. Most PCI scan vendors tend to only look at the major version number of a package and not the security patches it has.

Note: eApps offers PCI Compliance assistance services on a request basis (quoted fee), as well as on a subscription basis (set, recurring quarterly fee). Our technicians will review your PCI scan report and perform software updates and advise you as to other actions that must be taken to pass the scan. See https://portal.eapps.com/order/index.php?pid=76 for information about our PCI Assistance subscription service.

You can check the ChangeLog of a package to determine if a security patch is applied using the following syntax:

# rpm -q --changelog <package_name> | grep <CVE_ID>

Here, we are checking if the openssl package has a patch to fix CVE-2018-5407:

# rpm -q --changelog openssl | grep CVE-2018-5407
- fix CVE-2018-5407 - EC signature local timing side-channel key extraction

The fix is included in this version of openssl.

Updating All Installed Packages

You can see a list of packages that have updates available with the following syntax:

# yum update

You will be presented with a list of packages that have available updates before they are applied so you can confirm.

Note: Updating all packages will also update ISPmanager packages and update the control panel to the latest version. Be sure to check the ChangeLog of the software you are using before applying updates. The ChangeLog for ISPmanager can be found here: https://www.ispsystem.com/software/ispmanager/changelog

CentOS (cPanel/WHM control panel)

cPanel provides their own repositories and update mechanism. While it is possible to use yum as with a regular CentOS install, it is strongly recommended to use the update method built into the control panel.

For instructions on how to update your cPanel & WHM server, see https://documentation.cpanel.net/display/CKB/How+to+Update+Your+System

CentOS (Plesk control panel)

Plesk can apply software updates through the control panel on Linux. For information on how to do this, see https://docs.plesk.com/en-US/onyx/administrator-guide/server-administration/system-updates-plesk-for-linux-only.75822/

Windows (Plesk control panel)

To apply updates to Plesk itself (on Windows and Linux), see https://docs.plesk.com/en-US/onyx/administrator-guide/70989/

Windows (no control panel)

Windows updates are enabled by default and will automatically be downloaded. They will not be applied until you confirm.

Manually Checking For Updates (Windows 2008, Windows 2012)

See Microsoft's official documentation for manual Windows Update checking: https://support.microsoft.com/en-us/help/3067639/how-to-get-an-update-through-windows-update 

Manually Checking For Updates (Windows 2016)

  1. Click on Start and open the Setting application
  2. Click on Update & Security
  3. Click Check for updates in the Update status section
Some updates may require a reboot. You can configure when this reboot occurs via Active Hours or Restart options

Active Hours

You can select a timeframe in which Windows will not automatically restart. Note that this timefrae can only be 12 hours.

Restart Options

You can select a custom date and time for an automatic reboot to occur.

Debian & Ubuntu (no control panel)

Generating the Repository Cache

As with CentOS, you need to fetch a list of available updates first. All commands need to be run as root

# apt-get update

After the repository cache is generated, you can apply updates to a single package or to all installed packages.

Updating A Single Package

You can update a single package using the following syntax:

# apt-get --only-upgrade install <package_name>

For example, to update the openssl package:

# apt-get --only-upgrade install openssl
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
openssl
1 upgraded, 0 newly installed, 0 to remove and 107 not upgraded.
Need to get 747 kB of archives.
After this operation, 72.7 kB of additional disk space will be used.
Get:1 http://security.debian.org/debian-security stretch/updates/main amd64 openssl amd64 1.1.0k-1~deb9u1 [747 kB]
Fetched 747 kB in 0s (14.5 MB/s)
Reading changelogs... Done
(Reading database ... 28570 files and directories currently installed.)
Preparing to unpack .../openssl_1.1.0k-1~deb9u1_amd64.deb ...
Unpacking openssl (1.1.0k-1~deb9u1) over (1.1.0f-3+deb9u1) ...
Setting up openssl (1.1.0k-1~deb9u1) ...
Processing triggers for man-db (2.7.6.1-2) ...

As with CentOS, You can get the ChangeLog of a package to determine if a certain security patch is applied using the following syntax:

# apt changelog openssl

You will be presented with the ChangeLog in your pager. To search through this document, you can scroll up and down or you can use the / character plus your query, such as:

/CVE-2019-1543

You will be taken to the search result and it will be highlighted.

openssl (1.1.0k-1~deb9u1) stretch-security; urgency=medium
* Import 1.1.0k
- CVE-2019-1543 (Prevent over long nonces in ChaCha20-Poly1305)

To exit, press q

Updating All Installed Packages

# apt-get upgrade


Comments

Please login to comment