About third-party security patches#

EclecticIQ notifies security issues concerning EclecticIQ Platform and third-party dependencies in the Security advisories section.

For an overview of security issues reported so far, see Security Advisories.

About third-party security patches#

Platform releases may include application library dependencies and third-party system services security patches, when applicable, and when the patches are available.

However, the EclecticIQ Platform release cycle and the security issue patching release cycle are independent from each other.

For more information about any addressed security issues in a specific platform release, see the Security issues and mitigation actions section in the relevant release notes.

When third-parties release updates of their products after addressing a security issue, EclecticIQ makes the relevant patched dependencies available on Bintray as soon as possible.

Platform users can download patched third-party dependencies – that is, application library dependencies and system services – from the EclecticIQ Bintray repository, and they can proceed to install them on their systems.

These fixes are released independently of the product release cycle.

About installing third-party security patches#

During installation and upgrade, the platform locks dependency versions.

Therefore, make sure that:

  1. Before you proceed to install a dependency to update your system after a security issue is patched, unlock or unpin locked/pinned version(s) of the dependencies you are about to install.

  2. After completing the patched dependency installation, lock or pin relevant dependency versions again.

Example#

  1. Unlock the versions of currently installed software:

    # Unlock versions
    yum versionlock clear
    
  2. Install the patched dependencies.

  3. Lock the versions of the platform dependencies:

    # Lock versions
    yum versionlock \
        eclecticiq-platform \
        eclecticiq-platform-api \
        eclecticiq-platform-common \
        eclecticiq-platform-ui \
        elasticsearch \
        kibana \
        logstash \
        neo4j \
        postgresql11-contrib \
        postgresql11-devel \
        postgresql11-server \
        python3 \
        redis \
        ${patch-dependency-name} \
        // ... \