I'd just like to say how impressed I am with your service so far. I've worked with a number of hosts over the years and I get a really good feeling about you guys.
|Posted||Wed, 24 Sep 2014 21:59 PM UTC|
|Last Update||Tue, 30 Sep 2014 03:55 AM UTC (30 hours ago)|
Shellshock update at 30 Sep
What a busy few days! Security researchers have found a few related bugs. The most recent of those is as-yet undisclosed and unpatched by distros.
In the meanwhile we have created a deshellshock script (if you are a syadamin, please feel free to review and provide improvements at https://github.com/pbkwee/deshellshock ).
We are also working on a page where customers can review the status of our running that script on their servers. So you can see if you were vulnerable (tip: you were) and whether we can detect any current vulnerabilities after applying any changes.
We will update this notice as we make more progress. (Currently waiting on disclosure and fixes for CVE-2014-7186 and CVE-2014-7187).
Shellshock: the bash vulnerability
There is a vulnerability in most versions of bash.
Bash is used in a variety of ways. Via web scripts. OpenSSH environment variables. And probably a number of other ways no one has thought of yet. This means there are potentially many ways (vectors) this vulnerability could be exploited.
So it is very important to fix this issue.
Patching the vulnerability
To check if you are vulnerable (tip: you probably are):
To fix it on Debian/Ubuntu:
On Redhat-based distros:
If you are ok with upgrade all/other packages, then on Debian/Ubuntu (note this will likely restart services and update lots of packages):
On Redhat-based distros:
If you are running Debian squeeze you may need to add in the squeeze-lts repository in order to get the updated bash package:
After upgrading bash, rerun the vulnerability check:
If you are still vulnerable, pop in a ticket early next week and we can take a look. Please don't contact us right now. We are working on an auto-update solution for everyone.
The patch should not require a reboot or any service restarts.
What about older distros? RHEL4? Lenny? Slackware 1.0?
These are old distros, sometimes not well supported anymore. Had you though about reinstalling with a newer, modern distro?
We are looking at options for these older distros. We will update this notice if/when we find them.
Because of the severity of the issue we may look at attempting to auto-patch the binary on servers where we have our RimuHosting key enabled (see https://rimuhosting.com/knowledgebase/rimuhosting/rimuhosting-ssh-access).
Because not all servers are the same, the auto-patch may not correct the problem on 100% of servers. If you wish to guarantee the binary is patched, please follow the steps above.
If we have access to your server and you do *not* wish us to attempt to do an update please submit a support ticket with the subject of nobashupdateplease. If you have already fixed the issue then the autopatch should do nothing so you should be fine to not send us a nobashupdateplease request.
Update @Sat 27 1225 UTC: We have started working on the autopatch script. An early version is at https://github.com/pbkwee/deshellshock . Please do not run that. We will shortly be implementing a version of that on servers where we have not received the 'nobashupdateplease'' notice. We hope to have a list of vulnerable and fixed servers shortly.#
|Posted||Wed, 24 Sep 2014 21:47 PM UTC|
|Last Update||Fri, 26 Sep 2014 03:01 AM UTC (5 days ago)|
Update: Fri, 26 Sep 2014 02:59 AM UTC: The new drive also is showing errors. We have ordered a replacement drive and will work on swapping that in once it arrives.
Update: Fri, 26 Sep 2014 02:50 AM UTC: The drive swap is now complete and raid is syncing.
Update: Fri, 26 Sep 2014 02:26 AM UTC: We are starting work on replacing this drive. The host server has hotswap, we will not need to take the server offline to complete the drive swap.
host987.rimuhosting.com has a drive failing, we will be working on replacing the failing drive. The host has hotswap drives, we do not expect any down time to complete the drive swap.#