What is a Backport?
Backporting is when a software patch or update is taken from a recent software version and applied to an older version of the same software.
A backport is most commonly used to address security flaws in legacy software or older versions of the software that are still supported by the developer. In many cases, the user maintains the older version of the software because the newer version has stability issues or may be incompatible with downstream applications.
How Backporting Works
Backporting is a catch-all term for any activity that applies updates or patches from a newer version of software to an older version.
This process can be as straightforward as updating several lines of code; it can also involve a major overhaul that is spread across multiple files of the code.
In the latter case, applying a backport may be impractical as compared to upgrading to the latest version of the software. However, in select cases, it may be necessary to retain a legacy application if the newer version of the application has stability issues that may impact mission-critical operations.
The Backporting Process
Backporting is a multi-step process. Here we outline the basic steps to develop and deploy a backport:
- Identify the security flaw within the software version that requires a patch or update.
- Determine what patches, updates or modifications are available to address this issue in later versions of the same software.
- Adapt the modification to be compatible with the older code version.
- Conduct robust testing to ensure that the backported code or backport package maintains full functionality within the IT architecture, as well as addresses the underlying security flaw.
- Address any unwanted side effects identified in the previous step.
- Deploy the backported patch.
Who is Responsible for Backporting?
Backporting requires access to the software’s source code. As such, the backport can be developed and provided by the core development team for closed-source software. This can be done as part of an official patch or bug fix. For open-source software, such as Linux, a backport can be provided by a third party and then submitted to the software development team.
Where Does Backporting Fit in Vulnerability Management
Backporting has many advantages, though it is by no means a simple fix to complex security problems. Further, relying on a backport in the long-term may introduce other security threats, the risk of which may outweigh that of the original issue.
Common Backporting Issues and Considerations
Long-term Support and Maintenance Costs
Backports can be an effective way to address security flaws and vulnerabilities in older versions of software. However, each backport introduces a fair amount of complexity within the system architecture and can be costly to maintain.
For example, Python 2.7.18 was the final official release of Python 2. In order to remain current with security patches and continue enjoying all of the new developments Python has to offer, organizations needed to upgrade to Python 3 or start freezing requirements and commit to legacy long-term support. CrowdStrike’s data science team faced this exact dilemma. This article explores the team’s decision-making process as well as the steps the team took to update approximately 200K lines of Python into a modern framework.
Backporting Side Effects
As discussed in our Python blog post, each backport can create many unwanted side effects within the IT environment. Just as an upstream software application affects all downstream applications, so too does a backport applied to the core software. This is also true if the backport is applied within the kernel.
Additional Security Implications and Vulnerabilities
Backporting is a common technique to address a known bug within the IT environment. At the same time, relying on a legacy codebase introduces other potentially significant security implications for organizations. Relying on old or legacy code could result in introducing weaknesses or vulnerabilities in your environment. These issues affect not only the main application but also all dependent libraries and forked applications to public repositories. It is important to consider how each backport fits within the organization’s overall security strategy, as well as the IT architecture. This applies to both upstream software applications and the kernel itself.
Numeration Confusion
Backporting can give users a false sense of security if the enumeration process is not fully understood. For example, users may read media reports about upgrading their software to address security issues. However, what they actually do is install an updated package from the vendor and not the latest upstream version of the application. In this scenario, the user is still running an older upstream version of the software with backport packages applied. This does not provide the full security features and benefits of operating the latest version of the software. Users should double-check to see the specific software update number to ensure they are updating to the latest version.