Security Responses and Updates

Follow

Cumulus Networks believes in the Linux model of security through transparency. Cumulus Networks constantly monitors security advisories and will provide updated packages and notify users when major vulnerabilities affect Cumulus Linux.

Subscribe to our mailing list at lists.cumulusnetworks.com/listinfo/cumulus-security-announce so you can receive notification from Cumulus Networks whenever we discover a security issue.

All our security issues are tracked on the mailing list and referenced in this article.

{{table_of_contents}}

Security Policy

Since Cumulus Linux is based on the Debian distribution, Cumulus Networks will, within a reasonable time frame, address security problems in accordance with the Debian policies in place.

Every Cumulus Linux release will include all applicable security patches available prior to the build date. Any new vulnerabilities listed by Debian after the release will be evaluated and made available as a package update via repo.cumulusnetworks.com.

Upgrading Cumulus Linux for Security Updates

When Cumulus Networks or Debian.org issues a critical security update, Cumulus Networks will update Cumulus Linux and describe the nature of the update in an article in the Security section of the Help Center. Other security fixes are added to the Cumulus repositories without announcements (Debian announces all security updates). 

If the article does not specify a procedure for upgrading Cumulus Linux, follow these steps instead:

  1. Run apt-get update.
  2. Run apt-get upgrade.

Caution: If you are running Cumulus Linux 2.5 ESR or earlier, and you want to install only the security upgrades instead of the complete set of packages, before you upgrade, remove the word updates from the main addons updates entry in /etc/apt/sources.list

deb http://repo.cumulusnetworks.com CumulusLinux-VERSION main addons updates #REMOVE THIS LAST WORD
deb http://repo.cumulusnetworks.com CumulusLinux-VERSION security-updates

When you finish upgrading, add the word updates to the end of the main addons entry in /etc/apt/sources.list.

Warning! Do not install security patches from Debian directly unless you have consulted with Cumulus Networks directly.

Discovering Security Issues

Users who become aware of a security vulnerability in Cumulus Linux should contact Cumulus Networks with details of the vulnerability. Please send descriptions of any vulnerabilities to security@cumulusnetworks.com. 

Any vulnerability reported through our customers, and not yet reported by Debian will be reported to the Debian security team (security@debian.org or team@security.debian.org) and a bug will be filed in Debian BTS with a tag of security.

In addition, Cumulus Networks will work in conjunction with Debian's security team to resolve the issue in a timely manner and publish an advisory as quickly as possible.

Contacting Cumulus Networks' Security Team

As noted above, please contact us at security@cumulusnetworks.com with any security-related questions and issues.

Have more questions? Submit a request

Comments

Powered by Zendesk