To keep your server secure and up to date, it is important to update the OS packages on your server. This guide explains how you can perform these updates, depending on what OS and Control Panel is used by your server. If you have questions about the update process, contact support@eapps.com. If you would like eApps to perform these updates for you, contact sales@eapps.com.
Note that for severe security issues, eApps may apply patches to your server, or provide specific instructions to you about what you need to do to mitigate the security issues.
First, fetch the latest list of packages from the configured repositories. If you are using ISPmanager, this will include the ISPsystem repository as well as the eApps repository. All commands need to be done as root.
# yum makecache
After the repository cache is generated, you can apply updates to a single package or to all installed packages.
You can update a single package using the following syntax:
# yum update <package_name>
For example, to update the openssl package:
# yum update openssl
You may be interested in updating a single package if you want to mitigate a recently discovered vulnerability. In CentOS, security patches may be "backported" to a package without updating the major version number. This is important to keep in mind when scanning your server for PCI compliance. Most PCI scan vendors tend to only look at the major version number of a package and not the security patches it has.
Note: eApps offers PCI Compliance assistance services on a request basis (quoted fee), as well as on a subscription basis (set, recurring quarterly fee). Our technicians will review your PCI scan report and perform software updates and advise you as to other actions that must be taken to pass the scan. See https://portal.eapps.com/order/index.php?pid=76 for information about our PCI Assistance subscription service.
You can check the ChangeLog of a package to determine if a security patch is applied using the following syntax:
# rpm -q --changelog <package_name> | grep <CVE_ID>
Here, we are checking if the openssl package has a patch to fix CVE-2018-5407:
# rpm -q --changelog openssl | grep CVE-2018-5407 - fix CVE-2018-5407 - EC signature local timing side-channel key extraction
The fix is included in this version of openssl.
You can see a list of packages that have updates available with the following syntax:
# yum update
You will be presented with a list of packages that have available updates before they are applied so you can confirm.
Note: Updating all packages will also update ISPmanager packages and update the control panel to the latest version. Be sure to check the ChangeLog of the software you are using before applying updates. The ChangeLog for ISPmanager can be found here: https://www.ispsystem.com/software/ispmanager/changelog
cPanel provides their own repositories and update mechanism. While it is possible to use yum as with a regular CentOS install, it is strongly recommended to use the update method built into the control panel.
For instructions on how to update your cPanel & WHM server, see https://documentation.cpanel.net/display/CKB/How+to+Update+Your+System
Plesk can apply software updates through the control panel on Linux. For information on how to do this, see https://docs.plesk.com/en-US/onyx/administrator-guide/server-administration/system-updates-plesk-for-linux-only.75822/
To apply updates to Plesk itself (on Windows and Linux), see https://docs.plesk.com/en-US/onyx/administrator-guide/70989/
You can select a timeframe in which Windows will not automatically restart. Note that this timefrae can only be 12 hours.
You can select a custom date and time for an automatic reboot to occur.
As with CentOS, you need to fetch a list of available updates first. All commands need to be run as root
# apt-get update
After the repository cache is generated, you can apply updates to a single package or to all installed packages.
You can update a single package using the following syntax:
# apt-get --only-upgrade install <package_name>
For example, to update the openssl package:
# apt-get --only-upgrade install openssl
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
openssl
1 upgraded, 0 newly installed, 0 to remove and 107 not upgraded.
Need to get 747 kB of archives.
After this operation, 72.7 kB of additional disk space will be used.
Get:1 http://security.debian.org/debian-security stretch/updates/main amd64 openssl amd64 1.1.0k-1~deb9u1 [747 kB]
Fetched 747 kB in 0s (14.5 MB/s)
Reading changelogs... Done
(Reading database ... 28570 files and directories currently installed.)
Preparing to unpack .../openssl_1.1.0k-1~deb9u1_amd64.deb ...
Unpacking openssl (1.1.0k-1~deb9u1) over (1.1.0f-3+deb9u1) ...
Setting up openssl (1.1.0k-1~deb9u1) ...
Processing triggers for man-db (2.7.6.1-2) ...
As with CentOS, You can get the ChangeLog of a package to determine if a certain security patch is applied using the following syntax:
# apt changelog openssl
You will be presented with the ChangeLog in your pager. To search through this document, you can scroll up and down or you can use the / character plus your query, such as:
/CVE-2019-1543
You will be taken to the search result and it will be highlighted.
openssl (1.1.0k-1~deb9u1) stretch-security; urgency=medium
* Import 1.1.0k
- CVE-2019-1543 (Prevent over long nonces in ChaCha20-Poly1305)
To exit, press q
# apt-get upgrade