Security Responses and Updates
Cumulus Networks believes in the Linux model of security through transparency. Cumulus Networks constantly monitors security advisories and will provide updated packages and notify users when major vulnerabilities affect Cumulus Linux.
Subscribe to the Cumulus Networks Security Announcements mailing list so you can receive notification from Cumulus Networks whenever we discover a security issue.
All our security issues are tracked on the mailing list and referenced in this article.
Since Cumulus Linux is based on the Debian distribution, Cumulus Networks will, within a reasonable time frame, address security problems in accordance with the Debian policies in place.
Every Cumulus Linux release will include all applicable security patches available prior to the build date. Any new vulnerabilities listed by Debian after the release will be evaluated and made available as a package update in the Cumulus Linux repository.
Upgrading Cumulus Linux for Security Updates
When Cumulus Networks or Debian.org issues a critical security update, Cumulus Networks will update Cumulus Linux and describe the nature of the update in an article in the Security section of the knowledge base. Other security fixes are added to the Cumulus repositories without announcements (Debian announces all security updates).
If the article does not specify a procedure for upgrading Cumulus Linux, follow these steps instead:
Do not install security patches from Debian directly unless you have consulted with Cumulus Networks directly.
Discovering Security Issues
Users who become aware of a security vulnerability in Cumulus Linux should contact Cumulus Networks with details of the vulnerability. Please send descriptions of any vulnerabilities to email@example.com.
Any vulnerability reported through our customers, and not yet reported by Debian will be reported to the Debian security team (firstname.lastname@example.org or email@example.com) and a bug will be filed in Debian BTS with a tag of security.
In addition, Cumulus Networks will work in conjunction with Debian’s security team to resolve the issue in a timely manner and publish an advisory as quickly as possible.
Contacting the Cumulus Networks Security Team
As noted above, please contact us at firstname.lastname@example.org with any security-related questions and issues.