TECHTIP:Kernel Security Hotfixes for Appliances

From rPath Wiki

Occasionally there is a security vulnerability a Linux kernel that requires a timely hotfix to prevent systems with that kernel from being compromised. In the case of appliances based on the rPath Appliance Platform Linux Service (rLS) or rPath Linux (rPL), reference this techtip when addressing such kernel security hotfixes. See rPath advisory rPSA-2008-0052 (regarding kernel versions 2.6.17 through 2.6.22.18) for more information on the vulnerability that prompted this techtip.

For appliances using the kernel as provided by rPL or rLS...

The only requirement for incorporating an updated kernel from rPL or rLS should be to rebuild the Conary group that defines the appliance. If the group recipe references a specific kernel, update the recipe as necessary to reference an up-to-date kernel including the fix. Otherwise, Conary will assemble the operating system with the latest kernel, which should include the fixes as described in rPath's advisories.

For appliances using a custom kernel...

Appliance developers with a custom kernel have probably shadowed the kernel package from rPL or rLS for use in an appliance, and they have modified the kernel as desired. Assuming that developers with custom kernels are familiar with keeping a kernel up-to-date, note that when rPath advises on a security hotfix, those fixes should be incorporated from upstream into the custom kernel package. After updating a custom kernel package, rebuild the Conary group that defines the appliance and be sure the appliance works as desired.

In both cases, test and release the kernel update...

Be sure to test the appliance with the updated kernel before promoting it for release. Also, after releasing the updated appliance group, be sure to alert owners of deployed appliances that they should schedule an appliance update as soon as possible.