Ubuntu 12.04 LTS “Precise” now available 29 Apr 13

Available from today, you can now choose Ubuntu 12.04 LTS “Precise” as the base OS when building new Brightboxes, both 32-bit and 64-bit variants are available.

Ubuntu Precise is the current Long Term Support (LTS) version of Ubuntu with bug and security fixes provided until April 2017. Highlights include the Linux 3.2 kernel, Apache 2.2.22, Nginx 1.1.19, Upstart 1.5, OpenJDK 7, upgrades for Puppet and Chef and many more bug and security fixes.

We’ve included the usual Brightbox Ruby deployment stack and our “next generation” Ruby 1.8.7 and 1.9.3 packages, as well as the latest Phusion passenger. A significant change from Lucid-based Brightboxes is that Ruby 1.9.3 is now the default, as Ruby 1.8.7 is end-of-life from June 2013. If you still require 1.8.7, the included ruby-switch tool makes it simple to switch between Ruby versions as required. For more information please see the documentation.

When buying a new Brightbox, you’ll see a combo box that you can use to select Precise (Lucid is still currently the default). In-place upgrades from Hardy or Lucid to Precise aren’t possible due to significant changes to the GRUB bootloader, so you’ll either need to request a re-image (which involves wiping your box, so make backups!) or buy a new box and move your apps to it.

We’ve now discontinued Ubuntu 8.04 LTS “Hardy” based Brightboxes, as it reaches the end of support in May 2013. Existing Hardy users should consider an upgrade to Lucid or Precise as soon as possible, as important bug and security fixes will no longer be provided.

Posted 29 April 2013 by 1 comment

+ + + +

Ubuntu 12.04 LTS “Precise” beta testing 16 Apr 13

We’re currently in the final stages of testing Ubuntu “Precise” (12.04 LTS) Brightboxes, we’re now looking for volunteers for beta testing. If you’re an existing customer and would like a Precise box to test, please open a support ticket or email support@brightbox.co.uk. Both 32-bit and 64-bit variants are available.

Beta test Brightboxes are free, but Precise is still in testing so there may still be bugs, so you shouldn’t plan on running your live customer-facing sites on one just yet. Once we launch Precise-based boxes for all, we’ll be switching off the beta boxes.

We’ve included the usual Brightbox Ruby deployment stack and our “next generation” Ruby 1.8.7 and 1.9.3 packages, as well as the latest Phusion passenger. One of the significant changes is that Ruby 1.9.3 is now the default, though you can use the included ruby-switch tool to easily revert to 1.8.7 if required.

Space on the test platform is limited, so if you’d like a box, don’t delay!

Posted 16 April 2013 by Add a comment

+ + +

Another Rails JSON security bug 30 Jan 13

Another serious vulnerability in Rails has been discovered. Similarly to the last one, it concerns the parsing of JSON request bodies and can result in an attacker bypassing code, such as authentication systems, and may also be used to run arbitrary Ruby code and even execute system commands.

This new vulnerability does not affect Rails 3.1 and 3.2. Applications using Rails 3.0 and Rails 2.3 are vulnerable. We do not have any details about releases prior to 2.3, but these should be assumed to be vulnerable as well.

The rubyonrails.org blog post has more details of this newly-discovered vulnerability – CVE-2013-0333. Rails 2.3 and 3.0 apps need upgrading (or the workaround implemented) to fix the new JSON vulnerabilites.

Please note that this issues is separate to the SQL injection vulnerability and XML+JSON vulnerabilities. Even if you have already taken action against these earlier bugs, further work is now needed to protect against this new one.

We urge all customers to upgrade as soon as possible.

Posted 30 January 2013 by Comments Off

Rails JSON and XML security bugs 9 Jan 13

Two serious vulnerabilities in Rails have been discovered. They concern the parsing of JSON and XML request bodies and can result in an attacker bypassing code, such as authentication systems, and may also be used to run arbitrary Ruby code and even executing system commands.

The rubyonrails.org blog post has more details of these vulnerabilities – CVE-2013-0155 and CVE-2013-0156. Rails 3.x apps need upgrading (or patching) to fix the JSON vulnerabilites. The XML vulnerabilities can be fixed in 3.x or 2.3.x by either upgrading, or specifically disabling the dangerous parts of the XML parser with a simple initializer.

Please note that these issues are separate to, and more serious than, the recent SQL injection vulnerability which we posted about a few days ago.

We urge all customers to upgrade as soon as possible.

Posted 9 January 2013 by 2 comments

+ + +

Rails SQL injection vulnerability 3 Jan 13

A security problem affecting all versions of Rails has been discovered. The vulnerability affects apps which use dynamic finders with Active Record.

The original bug report has more detail about this vulnerability – CVE-2012-5664.

Customers who are able to, should upgrade to one of the new versions of Rails listed in the bug report (3.2.10, 3.1.9, or 3.0.18). Otherwise, you should audit your apps’ code for instances of dynamic finders, with a view to applying the workaround.

Posted 3 January 2013 by 1 comment

New Relic Agent vulnerability 7 Dec 12

New Relic have notified us of a security problem affecting the New Relic agent (gem) prior to version 3.5.3.

The New Relic security advisory warns that the New Relic gem was transmitting database login details to New Relic, where they were not stored, but potentially could have been intercepted.

The risk to Brightbox customers who use New Relic is low, as Brightbox shared and dedicated MySQL clusters are not exposed to access from the Internet. Nevertheless, customers who are using New Relic should still upgrade to the latest version of the New Relic gem as soon as convenient.

Posted 7 December 2012 by Comments Off

Passenger 3.0.17 and NGINX 1.2.3 packages for Ubuntu 12 Sep 12

We’ve just published Phusion Passenger 3.0.17 packages for Ubuntu on our repositories (Hardy, Lucid, Natty, Oneiric and Precise).

We’ve also updated our NGINX packages to 1.2.3, and they now include Weibin Yao’s http upstream check module.

They’re now available on our standard and our ruby-ng repositories, so you can use it all with Ruby 1.9.3 too (on Lucid, Natty, Oneiric and Precise).

Remember, the ruby-ng repository is “all in one”, so it provides Ruby, Passenger and NGINX all in one repository. Our separate passenger repository provides Apache Passenger packages only (without Ruby 1.9 support) and the passenger-nginx repository provides NGINX+Passenger only (also without Ruby 1.9 support).

Posted 12 September 2012 by 2 comments

+ + + + + +

Passenger 3.0.14 and NGINX 1.2.2 packages for Ubuntu 3 Aug 12

We’ve just published Phusion Passenger 3.0.14 packages for Ubuntu on our repositories (Hardy, Lucid, Natty, Oneiric and Precise). We’ve also updated our NGINX packages to 1.2.2.

They’re now available on our standard and our ruby-ng repositories, so you can use it all with Ruby 1.9.3 too (on Lucid, Natty, Oneiric and Precise).

Remember, the ruby-ng repository is “all in one”, so it provides Ruby, Passenger and NGINX all in one repository. Our separate passenger repository provides Apache Passenger packages only (without Ruby 1.9 support) and the passenger-nginx repository provides NGINX+Passenger only (also without Ruby 1.9 support).

We’ll continue to maintain the passenger and passenger-nginx repositories so as not to force anyone to have to switch to the ruby-ng repositories (and for anyone who still needs Ubuntu Hardy support), but we now recommend using the ruby-ng repositories for all your future Ruby on Ubuntu needs :)

If you’re not already a Brightbox customer and want professional support for Ruby deployment, drop us a line. And don’t forget about our new cloud service too.

Posted 3 August 2012 by Comments Off

+ + + + + + +

MySQL authentication vulnerability 11 Jun 12

A bug in older MySQL releases (CVE-2012-2122) is getting a lot of attention today. The bug allows MySQL’s passsword security to be easily bypassed, allowing anyone to connect to MySQL as any valid user – including the administrative user with access to all the other users’ password details.

Further details can be read at http://seclists.org/oss-sec/2012/q2/493

We’ve verified this morning that, as expected, the Brightbox shared and dedicated MySQL servers are not affected by this problem.

If you’re running your own instances of MySQL using the Ubuntu-provided MySQL packages, then ensure that access to it is firewalled for now and apply the relevant security updates from Ubuntu when they become available.

Posted 11 June 2012 by Comments Off

OpenSSL security updates 20 Apr 12

A security problem has recently been found in the OpenSSL package. OpenSSL is used with Apache to provide SSL (HTTPS) security for websites.

The Ubuntu documentation for this problem can be found here.

We therefore recommend that all customers upgrade their OpenSSL packages to the latest versions as soon as possible.

The necessary commands are

sudo apt-get update
sudo apt-get -y install openssl libssl0.9.8

Posted 20 April 2012 by Comments Off

← Older Entries