perfsonar-announce - Re: Updated information on Shellshock for perfSONAR Toolkit Users
Subject: perfSONAR Announcements
List archive
- From: Andrew Lake <>
- To: perfsonar-user <>, perfsonar-announce <>
- Cc: "" <>
- Subject: Re: Updated information on Shellshock for perfSONAR Toolkit Users
- Date: Tue, 30 Sep 2014 13:51:34 -0400
Hi all,
New LiveCD and LiveUSB images are now available at
http://software.internet2.edu/pS-Performance_Toolkit/
See Jason's note below for more details. These contain the latest shellshock
fixes from the last few days. It is highly recommended all LiveCD users
upgrade to this version. Since new vulnerabilities seem to be appearing
rapidly, we will continue to do our best to respond quickly as issues arise.
Thank you,
Andy
On Sep 29, 2014, at 5:58 PM, Jason Zurawski
<>
wrote:
> Greetings;
>
> We have 2 pieces of news to report on the ongoing shellshock situation:
>
> 1) As of this afternoon we have not seen any additional patches made by the
> upstream vendors. For those playing the home game here are the current
> list if vulnerabilities:
>
>> CVE-2014-6271 [Original vulnerability]
>> CVE-2014-6277
>> CVE-2014-6278
>> CVE-2014-7169
>> CVE-2014-7186
>> CVE-2014-7187
>
> Note that if you 'yum update'd last week, you should check again to be sure
> you have the 'latest', this is because new vulnerabilities were announced
> right after the initial fix was released. We will continue to monitor the
> situation and keep everyone posted on things we see. If you haven't
> enabled yum auto-updating yet - consider reading this to do so:
> http://www.perfsonar.net/about/faq/#Q53
>
> Many of you have emailed to note that speed is the most important asset in
> patching this vulnerability - even if you were 'fast' there is a chance you
> could have been beaten. We would suggest verifying your systems to check
> for rootkits (rkhunter and chkrootkit are popular products), and/or if
> someone is running an IRC bot. When in doubt, yank it off the network and
> rebuild.
>
> 2) Working with community members, we have identified 2 ways to further
> reduce the risk of perfSONAR Toolkit systems. Note that the risk does not
> fully go away until bash is completely patched. These two approaches can
> help in the meantime by reducing the visibility via the web:
>
> a) A new RPM for version 3.3 (netinstall only) of the toolkit environment
> was built, and is now available in yum - it is 3.3.2-18. The modification
> in this update prevent the Perl interpreter from using bash for some of its
> operations, some functionality will be reduced as a result. Please do the
> following to get this update:
>
> - yum update
>
> - reboot the system
>
> b) If you are using a 3.3 LiveCD, or a 3.4 (RC*) installation, we are
> working on updated builds to address the problem as in part a). In the
> meantime, the following modifications can be made to the apache
> configuration to lock down *all* access to the Toolkit web interface:
>
> - Open the configuration file:
> /etc/httpd/conf.d/apache-toolkit_web_gui.conf
>
> - Search for instances of these permissions:
>
>> Order allow,deny
>> Allow from all
>
> - Modify the permissions to look like this (replacing the obvious
> fake address with a real one, multiple 'Allow' lines are permitted):
>
>> Order deny,allow
>> Allow from AAA.BBB.CCC.DDD/16
>> Deny from All
>
> - restart httpd (sudo /etc/init.d/httpd restart) or reboot
>
> Please reach out to us at
>
> if you have additional questions on status of the vulnerability or our
> response.
>
> Thanks;
>
> -jason
- Updated information on Shellshock for perfSONAR Toolkit Users, Jason Zurawski, 09/29/2014
- Re: Updated information on Shellshock for perfSONAR Toolkit Users, Andrew Lake, 09/30/2014
Archive powered by MHonArc 2.6.16.