Originally Posted by YankeePride13
I would like to pick the brains of the more experienced sys admins on this site for a moment.
So let's say you install some server software via yum or apt-get (whether it by MySQL, Bind, DHCPD whatever) and a little while later there is a CVE alert issued for that particular version of the server software, whatever it is.
It takes a while (if it ever happens) for software bug fixes and security patches to get pushed out via the repositories as they need to be tested so as to not damage any systems that download it.
In that time, rather than leave the system with a glaring security hole, I remove the older package and build the latest build from source via the software vendors site.
Do you then monitor the repositories to see if that bug is fixed and then remove the software you've built from source and re-apt-get or yum? At that point I'd just leave it and just keep updating the software manually...in which case I ask what is the point of using apt-get and yum for software like the examples I gave earlier? Does it make more sense to build these packages from source from the very beginning? What does everyone else do? Just kinda looking for best practices.
I would answer with "it depends".
I would first look at the vulnerability itself, and the likelihood that it would affect the server. If it's a fairly serious network vulnerability on a server in the DMZ, then yes, I'd build the latest version from source that addresses that bug, then monitor the repos to see when the 'real' package has been updated and install it, as you said. Given the same software on the INTERNAL network, behind several layers of firewalls/DMZ/etc., then I'd probably just wait for the official update.
I tend to treat servers on the internal network differently than the ones that are externally facing. Internally, I'd have Snort and other things watching my systems, and can easily trace back events to a specific area (and DESK, often times). If anything hinky is going on, I shovel all the documentation over to internal security, and wait to see who they escort out of the building later that day.
Externally, I'm FAR more stringent.