Patching and Updates Standard

Purpose

This standard defines the practices for patching and updates for all web servers administered by Web Services.

Brief Description

Purdue IT patches its systems on a regularly scheduled basis both for security and functional issues. Web Services provides additional patching for software not included as part of the operating system distribution. All non-production systems are patched before production systems, allowing developers at least one week to test their sites against the updated software before it affects their production sites. Issues found should be reported promptly to Web Services.

Details

Purdue IT regularly patches and updates software on all web servers to address security and functional issues. Most patching is handled as part of system maintenance by our platform administrators using updates provided by vendors (Microsoft, Red Hat, etc.) As such, some versions of software available on our systems are limited by what the vendor provides. In these cases, security and other serious bugs are back-ported by the vendors so that although the software may be an older version, it is patched and kept secure. Web Services patches software that is not distributed as part of the system.

Schedule of Patching

Patches are normally applied to systems according to a regular schedule. When a serious issue is identified outside of the normal patching cycle, special “out of band” patching may take place and will be announced. The schedules for patching are:

Linux

  • Non-production (development and qa) systems are patched on the 2nd of each month.
  • Production systems are patched on the 21st of each month.

Windows

Microsoft releases their patches and updates for Windows on the 2nd Tuesday of each month (known as “Patch Tuesday”).

  • Non-production (development and qa) systems are patched on the Thursday following Patch Tuesday with clean-up patching (for systems that need manual intervention) occurring on the Saturday after that.
  • Production systems are patched on the Saturday 11 days after Patch Tuesday, with clean-up patching occurring on the following Saturday.

WordPress

The core WordPress software as well as all properly configured plug-ins and themes updatable through the official WordPress update mechanism are patched by Web Services.

  • Development sites are patched on the 1st Tuesday of the month.
  • QA sites are patched on the 1st Wednesday (following the 1st Tuesday) of the month.
  • Production sites are patched on the 3rd Tuesday of the month.

Other Software

Web Services monitors the status of other software for patches and updates, and schedules them as needed. These will be announced to affected developers.

Developer Responsibilities

Since all non-production systems are patched at least one week prior to production systems receiving the same patches, it is important for all site developers to check their development and/or qa sites after non-production patching. If any issues are found, please contact Web Services as soon as possible. We may be able to stop the patch from applying to production systems while we work on a resolution with you.