Software security update procedures

DRAFT

For HDX and other IT components operated by the Data Services Section, we will apply all security updates within 30 days of release, unless there are extenuating circumstances that prevent the update. In the case of extenuating circumstances, we will log each case in the table below, along with the reason, anticipated risks, and actions we're taking to mitigate those risks.

ComponentFrozen versionReasonKnown risksRisk mitigation
NodeJSv0.10.25custom forked app depending on exotic packages

All NodeJS critical vulnerabilities from 0.10.x to current version... the latest other properties dealt with is here: https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/

  1. Monitor mailing lists and other sources for security vulnerabilities in this version.
  2. Automated vulnerability scans by DockerHub.