Posts tagged ‘security’

Ruby Security Vulnerabilities 25 Jun 08

Some of you will have noticed the kerfuffle regarding the recent Ruby security vulnerabilities.  Fixed version of Ruby were released over the weekend but they are causing crashes in applications.  Until working fixes are available we’re all a bit stuck.

Details of the bugs have been kept officially secret but people are figuring it out for themselves (thanks to Zed in particular).  This secrecy has just contributed to the fear, uncertainty and doubt surrounding the issues and hasn’t helped the situation at all.

We currently recommend sitting tight until proper fixes are available.  When this happens, distros will release new packages in the usual manner.  Brightboxes are based on the Ubuntu distro and their security team are aware of the problem and are working on it (see the bug status here).

For those of you using the standard Ruby from Dapper (most of you) you should be able to just upgrade  using aptitude as soon as Ubuntu release new packages.  For those of you using the backported Ruby 1.8.6 packages, you’ll need to wait for us to backport the fixes once they’re released.  We’ll obviously be doing this asap.

We’ll update the blog as we know more.

UPDATE: Ubuntu have fixed ruby1.8 packages available now. They have already appeared in the Ubuntu security repository and are available for install.  Preliminary testing of the Dapper packages has been successful (gems with native libraries too).  We’re re-backporting the Hardy 1.8.6 packages right now and they’ll be available soon.

UPDATE: We have the fixed Hardy packages (1.8.6-p111) backported to Dapper available on the Brightbox testing apt repository.  They’ve passed a lot of preliminary tests but have not been tested extensively in production yet.  Please report any problems  with them (segfaults etc.) to support@brightbox.co.uk.

Posted 25 June 2008 by John Leach ::: add comment

Ubuntu Openssh vulnerability 14 May 08

A vulnerability in some versions of Openssh on Debian and Ubuntu Linux was announced yesterday which can result in attackers gaining ssh access to machines with weak keys.  Any versions of Openssh that can produce these weak keys needs to be upgraded, and any weak keys in use need to be regenerated.

One of our admin keys, used for accessing customer machines for support, was generated on a vulnerable version of Ubuntu.  This key is installed on Brightboxes by default though is limited to access from the private network only, mitigating the risk somewhat.

We’ve generated a new key and have now installed it on all affected Brightboxes and removed the weak one (you may have noticed some ssh connections from the private network to your box this morning as the user bbox-admin).

The Brightbox distribution is based on Ubuntu Dapper, which is not directly vulnerable to this bug, but if you are using an ssh key generated on one of the vulnerable versions then your Brightbox might be at risk.  If you use any of the vulnerable versions of Ubuntu yourself then please follow the instructions in the Ubuntu security notice.

Posted 14 May 2008 by John Leach ::: 1 comment

Planned MySQL Maintenance: 6 Jan 2200hrs-2230hrs 31 Dec 07

We’ll be doing some work on the MySQL cluster on Sunday 6th January 2008 between 2200hrs and 2230hrs. We’re changing the way the clustering is managed to improve stability and also upgrading to fix some security bugs.During the window you may see two or three brief outages (less than 2 minutes at a time). We’ll keep the status page up to date as usual. If you experience any issues after the maintenance window has closed, please submit a support ticket and we’ll deal with it straight away.

Update: (7 Jan 2007) maintenance went well with only few seconds downtime.

Posted 31 December 2007 by John Leach ::: add comment

Secure virtual disk deletion - is your data safe? 4 Dec 07

Everyone knows the dangers of old hard disks being discarded with sensitive data still on them, but what about virtual disks? With so many virtual machine hosting services cropping up of late (hi!), have you ever wondered what happens to your data when you delete your virtual machine?

Usually your machine’s ‘partition’ is just a small part of a larger disk array; the partition is deleted and the space returned for the pool to be used by another virtual machine. This means, the next time someone buys a virtual machine with the same host, some of the blocks that made up your filesystem could end up making up their filesystem. The metadata will be wiped clean when the filesystem is formatted of course, so they won’t just see your files listed, but the blocks can still contain your data. It depends on how they’re managing their disks.

Homework: go buy a virtual machine somewhere and pipe the contents of your new disk through the strings command and look out for anything that isn’t yours (ssh root@newmachine "dd if=/dev/sda1 bs=1M | strings"). Extra credit if you don’t get thrown off your new host on the first day for maxing out the disk IO :)

So, you’re probably careful and securely wipe your sensitive data before you leave, phew. But disk space is virtualised too. The blocks that make up your disk might not all be in order or even all be on the same disk. With snapshots, your data may exist in duplicate too that you can’t even access. And what about if you bought extra disk space, then removed it?

At Brightbox we use Linux’s LVM implementation to manage disk space and these are problems we have to deal with and we take it seriously. All virtual machine disks are wiped at the block level when the machine is deleted or when a new machine is created. The only corner case we’re likely to run into is if a disk image is extended into space that had previously been used as a snapshot or as a disk that was shrunk. Luckily we don’t currently offer snapshots or disk shrinking but it’ll be something we’ll probably offer at some point, so we’ll have to address it then.

Posted 4 December 2007 by John Leach ::: 1 comment