Cumulus Networks believes in the Linux model of security through transparency. Cumulus Networks constantly monitors security advisories and will provide updated packages and notify users when major vulnerabilities affect Cumulus Linux.
Subscribe to our mailing list at lists.cumulusnetworks.com/listinfo/cumulus-security-announce so you can receive notification from Cumulus Networks whenever we discover a security issue.
All our security issues are tracked on the mailing list and referenced in this article.
Since Cumulus Linux is based on the Debian distribution, Cumulus Networks will, within a reasonable time frame, address security problems in accordance with the Debian policies in place.
Every Cumulus Linux release will include all applicable security patches available prior to the build date. Any new vulnerabilities listed by Debian after the release will be evaluated and made available as a package update via repo.cumulusnetworks.com.
Upgrading Cumulus Linux for Security Updates
When Cumulus Networks or Debian.org issues a critical security update, Cumulus Networks will update Cumulus Linux and describe the nature of the update in an article in the Security section of the Help Center. Other security fixes are added to the Cumulus repositories without announcements (Debian announces all security updates).
If the article does not specify a procedure for upgrading Cumulus Linux, follow these steps instead:
Caution: If you are running Cumulus Linux 2.5 ESR or earlier, and you want to install only the security upgrades instead of the complete set of packages, before you upgrade, remove the word
updates from the
main addons updates entry in
deb http://repo.cumulusnetworks.com CumulusLinux-VERSION main addons updates #REMOVE THIS LAST WORD deb http://repo.cumulusnetworks.com CumulusLinux-VERSION security-updates
When you finish upgrading, add the word
updates to the end of the
main addons entry in
Warning! Do not install security patches from Debian directly unless you have consulted with Cumulus Networks directly.
Discovering Security Issues
Users who become aware of a security vulnerability in Cumulus Linux should contact Cumulus Networks with details of the vulnerability. Please send descriptions of any vulnerabilities to email@example.com.
Any vulnerability reported through our customers, and not yet reported by Debian will be reported to the Debian security team (firstname.lastname@example.org or email@example.com) and a bug will be filed in Debian BTS with a tag of security.
In addition, Cumulus Networks will work in conjunction with Debian's security team to resolve the issue in a timely manner and publish an advisory as quickly as possible.
Contacting Cumulus Networks' Security Team
As noted above, please contact us at firstname.lastname@example.org with any security-related questions and issues.