Note: This article covers both Ubuntu and Debian, emphasizing JetPatch’s unified support. Security updates for both operating systems are directly managed using Ubuntu Security Notices (USN) and Debian Security Advisories (DSA).
Understanding Patch Components
JetPatch manages software updates for Ubuntu and Debian at the package level, organized into specific categories:
Channels (Components)
Ubuntu Components:
- Main: Canonical-supported free and open-source software.
- Restricted: Proprietary drivers/software supported by Canonical.
- Universe: Community-maintained free software.
- Multiverse: Software with license or legal restrictions.
Debian Components:
- Main: Fully free open-source software.
- Contrib: Free software depending on non-free components.
- Non-free: Software with proprietary licenses.
Note: Ubuntu standard installations typically include Main and Restricted. Debian installations usually include Main, but Contrib and Non-free can be added as needed.
Repositories (Pockets)
Both Ubuntu and Debian use repositories to organize updates:
-
Release: Original package set; frozen after OS release.
-
Updates: Recommended, non-security updates.
-
Backports: Newer software versions backported to older releases.
Note: Security updates for both systems are now managed directly through USN (Ubuntu) and DSA (Debian), not as rollups.
JetPatch Support
Patch integrates security updates directly from official notices:
Ubuntu Security Notices (USN)
-
Whitelist:
https://ubuntu.com/security/notices.json -
Provides CVE mapping and patch details directly.
Debian Security Advisories (DSA)
-
Whitelist:
https://lists.debian.org/debian-security-announce/ -
Provides direct access to security advisories for Debian 11.x and 12.x.
Security Patch Management
Security updates are handled separately through:
-
Ubuntu: Patch IDs directly linked to USNs (e.g.,
UB-20.04-USN-1234). -
Debian: Patch IDs directly tied to DSAs (e.g.,
DE-11-DSA-5678).
Ubuntu Rollup-Based Patch Management (Non-Security)
JetPatch manages ubuntu non-security updates in groups called "Rollups," formed from combinations of components and repositories :
-
3 Repositories (Release, Updates, Backports) × 4 Components = 12 Rollups per Ubuntu/Debian version
Patch Catalog Information
JetPatch Patch Catalog provides the following details for each rollup-based patch:
-
Patch ID: Generated uniquely for each rollup combination (e.g.,
UBRM-JP:2011for Ubuntu 20.04 Release Main). -
Patch Description & Title: Identified clearly by OS codename and rollup (e.g.,
focal-main). - Operating System: Specific to Ubuntu or Debian and clearly shown in the catalog.
- Category: Defined by repository type (Release, Updates, Backports).
- Needed On: Indicates endpoints requiring patch deployment.
Rollback
JetPatch does not support automatic rollback. Ensure proper backups and staging tests are done prior to deployments.
Example Patch Deployment
Ubuntu 20.04 Example (Non-Security Updates):
-
UBRM-JP:2011 focal-main(Release Main) -
UBUM-JP:2031 focal-updates main(Updates Main)
Security Example (via USN):
-
UB-20.04-USN-1234 focal-USN-1234
Debian Security Example (via DSA):
-
DE-11-DSA-5678 bullseye-DSA-5678
Once applied, patches remain compliant until newer updates emerge.
FAQ: Should I Deploy Non-DSA Patches for Debian?
JetPatch directly manages security updates for Debian using Debian Security Advisories (DSAs). However, not all updates fall under DSAs. Debian also releases non-security-related updates, minor fixes, or updates deemed lower priority that aren't issued through DSAs.
Recommended Approach
- DSAs (Critical Security Updates): Always deployed via JetPatch.
- Updates & Backports (Non-DSA Updates): These include recommended bug fixes and improvements and should be regularly reviewed and deployed based on your organization's needs.
Best Practices
- Regularly check and apply updates from the Debian "Updates" repository to maintain software stability.
- Consider applying select Backports as needed for specific software requirements.
For automated maintenance of non-security updates, Debian provides the package unattended-upgrades, ensuring regular and timely updates:
This complements JetPatch’s management of security updates, providing comprehensive coverage for Debian environments.
FAQ: How do I know which Ubuntu "rollup" packages are going to be deployed during patch execution?
- Go to the Activities table
- Filter by the relevant Remediation Plan
- View the output of the "execute patch installation for single computer" activity on your Ubuntu machines.
- Download the output to view as shown below.
The following NEW packages will be installed:
linux-headers-5.4.0-80 linux-headers-5.4.0-80-generic
linux-image-5.4.0-80-generic linux-modules-5.4.0-80-generic
linux-modules-extra-5.4.0-80-generic
The following packages will be upgraded:
alsa-ucm-conf apt apt-utils cloud-init initramfs-tools initramfs-tools-bin
initramfs-tools-core libapt-pkg6.0 libnss-systemd libpam-modules
libpam-modules-bin libpam-runtime libpam-systemd libpam0g libprocps8
libssl1.1 libsystemd0 libudev1 linux-base linux-firmware linux-generic
linux-headers-generic linux-image-generic openssl procps python-apt-common
python3-apt python3-distupgrade snapd sosreport systemd systemd-sysv
systemd-timesyncd ubuntu-release-upgrader-core udev update-notifier-common
36 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
Comments
0 comments
Please sign in to leave a comment.