Show Posts
46
Web Programming and Design / Re: withgusto Networks - Status Updates and Discussion
« on: September 25, 2014, 03:42:48 am »
Major Security Updates - 09/25/2014
Importance: URGENT
Author: albert
Date: Thurs, September 25th, 2014 at 12:38:03 AM PDT
Blog post: http://withg.org/blog/index.php?post=1411630683
Major Security Updates
======================
Major BASH Bug Patch
--------------------
In case you were asleep (you probably were), a very scary BASH bug
appeared!
For those in the security world, the bug is CVE-2014-6271. Take a peek
at it! For those who know a bit of BASH, here's a good article about it
(and admittingly, the way I found out about this bug):
http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/
All - I repeat - ALL withgusto servers were affected and immediately
patched. At this time, no known attacks have been spotted.
You do NOT need to restart BASH to get the fix. The new BASH will close
the security hole automatically due to the nature of the bug. We tested
this ourselves:
albert@withgusto2:~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
albert@withgusto2:~$ sudo su
..... (logging in here)
root@withgusto2:/home/albert# sudo aptitude
..... (updating here)
Processing triggers for python-support ...
Press return to continue.
root@withgusto2:/home/albert# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
root@withgusto2:/home/albert# exit
albert@withgusto2:~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
albert@withgusto2:~$
If users are using BASH in a web connected application, shame on you
(and me**) - this fix is for you. Now stop using BASH! (This applies
even if you don't call BASH directly - for instance, if you are running
a command in a shell environment, like with Python's subprocess +
'shell=True'.)
Bottom line - do NOT use shell in a web connected application! Avoid it
if possible!
** In the past, the owner wrote some questionable things... now, those
things are no more!
The BASH Security Bug
---------------------
From the article, there's a really easy way to check if your system is
at risk:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If the system is vulnerable, the output will be:
vulnerable
this is a test
An unaffected (or patched) system will output:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
Other Security Patches
----------------------
At this time, we also discovered that Debian 6.x (squeeze) security
updates were moved to a different repository - a official LTS
(Long-Term Support) repository on Debian's server. (Shamefully...)
Rather than going crazy with not knowing about this repository, we
decided to go ahead and update the server with the latest security
updates from that repository. There may have been downtime during this
update, so we apologize for any inconvenience!
If you are experiencing any issues, restart the application. This
should fix the problem. If you are still having issues, please notify
the admins ASAP so that we can get it fixed!
Needless to say, this was done on all servers, so we are 99% updated.
We hope to make it 100% once we migrate to new servers (and Debian 7)!
IMPORTANT SURVEYS
-----------------
We are moving servers, and we REALLY NEED YOUR INPUT!!!
Fill out the next few surveys, if you haven't already.
For those who have already filled them out, we apologize for spamming
you with needless survey form requests, and we thank you for doing them!
This is a community supported server, and we really appreciate your
input in making withgusto a better place!
URGENT - "I'm Alive" Survey
---------------------------
In order to make the migration efficient and increase security, we are
asking active users to take this survey to simply say
"I'm alive/active"! We've noticed that there's a LOT of old user
accounts (some of which are long since inactive), and we want to clean
them up in preparation for migrating to the new server.
(No worries - in the future, inactivity will be handled differently.)
Please fill out the survey here to declare your activity:
https://docs.google.com/forms/d/1Cw1VSGm7Vq-SQKcryLwA1rs63pwGrXYaL4ckRTvGIOk/viewform
Note that if your name is not on this survey, your account on withgusto
(including ZNC, shell, email, etc.) is at risk of being DISABLED and
archived. So please fill it out!
Provider Survey - Final Round!
------------------------------
We've narrowed down the list of providers to a select few, and we need your
help in determining our final provider!
PLEASE, PLEASE FILL IT OUT!
https://docs.google.com/forms/d/12vydTaZe4MPW4Cf-mlWkbMHAJa5Fajf6EDXj50yuz60/viewform
This will be the last survey before the migration begins.
Migration Survey
----------------
We've noticed that not many of our user base have filled out our
migration survey. While you're at it, if you haven't filled out our
migration survey, PLEASE FILL IT OUT!
https://docs.google.com/forms/d/1tDwSGjn_qul5_TsffkAdVn5SwZspgTGORTeVOkW3sT8/viewform
Importance: URGENT
Author: albert
Date: Thurs, September 25th, 2014 at 12:38:03 AM PDT
Blog post: http://withg.org/blog/index.php?post=1411630683
Major Security Updates
======================
Major BASH Bug Patch
--------------------
In case you were asleep (you probably were), a very scary BASH bug
appeared!
For those in the security world, the bug is CVE-2014-6271. Take a peek
at it! For those who know a bit of BASH, here's a good article about it
(and admittingly, the way I found out about this bug):
http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/
All - I repeat - ALL withgusto servers were affected and immediately
patched. At this time, no known attacks have been spotted.
You do NOT need to restart BASH to get the fix. The new BASH will close
the security hole automatically due to the nature of the bug. We tested
this ourselves:
albert@withgusto2:~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
albert@withgusto2:~$ sudo su
..... (logging in here)
root@withgusto2:/home/albert# sudo aptitude
..... (updating here)
Processing triggers for python-support ...
Press return to continue.
root@withgusto2:/home/albert# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
root@withgusto2:/home/albert# exit
albert@withgusto2:~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
albert@withgusto2:~$
If users are using BASH in a web connected application, shame on you
(and me**) - this fix is for you. Now stop using BASH! (This applies
even if you don't call BASH directly - for instance, if you are running
a command in a shell environment, like with Python's subprocess +
'shell=True'.)
Bottom line - do NOT use shell in a web connected application! Avoid it
if possible!
** In the past, the owner wrote some questionable things... now, those
things are no more!
The BASH Security Bug
---------------------
From the article, there's a really easy way to check if your system is
at risk:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If the system is vulnerable, the output will be:
vulnerable
this is a test
An unaffected (or patched) system will output:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
Other Security Patches
----------------------
At this time, we also discovered that Debian 6.x (squeeze) security
updates were moved to a different repository - a official LTS
(Long-Term Support) repository on Debian's server. (Shamefully...)
Rather than going crazy with not knowing about this repository, we
decided to go ahead and update the server with the latest security
updates from that repository. There may have been downtime during this
update, so we apologize for any inconvenience!
If you are experiencing any issues, restart the application. This
should fix the problem. If you are still having issues, please notify
the admins ASAP so that we can get it fixed!
Needless to say, this was done on all servers, so we are 99% updated.
We hope to make it 100% once we migrate to new servers (and Debian 7)!
IMPORTANT SURVEYS
-----------------
We are moving servers, and we REALLY NEED YOUR INPUT!!!
Fill out the next few surveys, if you haven't already.
For those who have already filled them out, we apologize for spamming
you with needless survey form requests, and we thank you for doing them!
This is a community supported server, and we really appreciate your
input in making withgusto a better place!
URGENT - "I'm Alive" Survey
---------------------------
In order to make the migration efficient and increase security, we are
asking active users to take this survey to simply say
"I'm alive/active"! We've noticed that there's a LOT of old user
accounts (some of which are long since inactive), and we want to clean
them up in preparation for migrating to the new server.
(No worries - in the future, inactivity will be handled differently.)
Please fill out the survey here to declare your activity:
https://docs.google.com/forms/d/1Cw1VSGm7Vq-SQKcryLwA1rs63pwGrXYaL4ckRTvGIOk/viewform
Note that if your name is not on this survey, your account on withgusto
(including ZNC, shell, email, etc.) is at risk of being DISABLED and
archived. So please fill it out!
Provider Survey - Final Round!
------------------------------
We've narrowed down the list of providers to a select few, and we need your
help in determining our final provider!
PLEASE, PLEASE FILL IT OUT!
https://docs.google.com/forms/d/12vydTaZe4MPW4Cf-mlWkbMHAJa5Fajf6EDXj50yuz60/viewform
This will be the last survey before the migration begins.
Migration Survey
----------------
We've noticed that not many of our user base have filled out our
migration survey. While you're at it, if you haven't filled out our
migration survey, PLEASE FILL IT OUT!
https://docs.google.com/forms/d/1tDwSGjn_qul5_TsffkAdVn5SwZspgTGORTeVOkW3sT8/viewform
)
