≡ Menu

Security Alert

A few days ago I noticed that NFS performance between a web server node and NFS server went down by 50%. NFS was optimized and the only thing was updated Red Hat kernel v5.2. I also noticed same trend on CentOS 5.2 64 bit edition.

NFS server crashed each and every time web server node tried to store a large file 20-100 MB each. Read performance was fine but write performance went to hell. Finally, I had to rollback the updates. Recently, while reading Red Hat site I came across the solution.

Updated kernel packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 5:

* a 50-75% drop in NFS server rewrite performance, compared to Red Hat
Enterprise Linux 4.6, has been resolved.

After upgrading kernel on both server and client my issue resolved:
# yum update

Postfix MTA updated to fix security vulnerabilities such as incorrectly checks the ownership of a mailbox. In some configurations, this allows for appending data to arbitrary files as root. This update has been rated as having moderate security impact.

All users of postfix should upgrade to these updated packages.

How do I patch Postfix under Debian / Ubuntu Linux?

First, update the internal database, enter:
# apt-get update
Install corrected Postfix package, enter:
# apt-get upgrade

How do I patch Postfix under RHEL / CentOS Linux?

Type the following command under RHEL / CentOS 5.x:
# yum update
Type the following command under RHEL <= 4.x: # up2date -u

Red Hat has shipped a new version of its dnsmasq caching software to plug source UDP port bug. This could have made DNS spoofing attacks (CVE-2008-1447) easier. Dnsmasq is lightweight ultra fast dns cache server forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network.

This update has been rated as having moderate security impact, to upgrade your software, type the following command:
# yum update

This software only available under RHEL 5 / CentOS Linux 5.x. If you are using Debian / Ubuntu Linux, enter:
# apt-get update
# apt-get upgrade

Firefox 3.0.1 has been released and available for download. This update has been rated as having critical security impact by the Mozilla. Use the following instructions to upgrade Firefox.

Security Issues

An integer overflow flaw was found in the way Firefox displayed certain web content. A malicious web site could cause Firefox to crash, or execute arbitrary code with the permissions of the user running Firefox. (CVE-2008-2785)

A flaw was found in the way Firefox handled certain command line URLs. If another application passed Firefox a malformed URL, it could result in Firefox executing local malicious content with chrome privileges. (CVE-2008-2933)

Download Firefox 3.0.1

=> Visit offical site to grab Firefox 3.0.1

How do I upgrade Firefox to version 3.0.1?

See how to install firefox-3.0.1.tar.bz2 in Linux

How do I update Firefox under Redhat / Fedora / CentOS Linux?

Simply type the following command, enter:
# yum update

How do I update Firefox under Debian / Ubuntu Linux?

Open terminal and simply type the following commands, enter:
$ sudo apt-get update
$ sudo apt-get upgrade

Canonical Ltd has issued updates for its Kernel package to plug multiple security holes. A security issue affects the following Ubuntu releases:

=> Ubuntu 6.06 LTS
=> Ubuntu 7.04
=> Ubuntu 7.10
=> Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

Description

IPsec protocol stack did not correctly handle fragmented ESP packets. A remote attacker could exploit this to crash the system, leading to a denial of service.(CVE-2007-6282)

The 64bit kernel did not correctly handle hrtimer updates. A local attacker could request a large expiration value and cause the system to hang, leading to a denial of service. (CVE-2007-6712)

The ia32 emulation under 64bit kernels did not fully clear uninitialized data. A local attacker could read private kernel memory, leading to a loss of privacy. (CVE-2008-0598)

A race condition was discovered between ptrace and utrace in the kernel. A
local attacker could exploit this to crash the system, leading to a denial
of service. (CVE-2008-2365)

The copy_to_user routine in the kernel did not correctly clear memory destination addresses when running on 64bit kernels. A local attacker could exploit this to gain access to sensitive kernel memory, leading to a loss of privacy. (CVE-2008-2729)

The PPP over L2TP routines in the kernel did not correctly handle certain messages. A remote attacker could send a specially crafted packet that could crash the system or execute arbitrary code. (CVE-2008-2750)

Gabriel Campana discovered that SCTP routines did not correctly check for large addresses. A local user could exploit this to allocate all available memory, leading to a denial of service. (CVE-2008-2826)

How do I update Kernel package?

Open terminal and type the following two commands:
$ sudo apt-get update
$ sudo apt-get upgrade

After a standard system upgrade you need to reboot your computer to effect the necessary changes:
$ sudo reboot

Debian Linux project released today bug fixes for lighttpd and gaim package.

Gaim packages fix execution of arbitrary code

It was discovered that gaim, an multi-protocol instant messaging client, was vulnerable to several integer overflows in its MSN protocol handlers. These could allow a remote attacker to execute arbitrary code.

lighttpd packages fix multiple DOS issues

Several local/remote vulnerabilities have been discovered in lighttpd, a fast webserver with minimal memory footprint.

a) lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access.

b) connections.c in lighttpd before 1.4.16 might accept more connections than the configured maximum, which allows remote attackers to cause a denial of service (failed assertion) via a large number of connection attempts.

How do I fix lighttpd and gaim security issues?

First, update the internal database, enter:
# apt-get update
Install corrected packages, enter:
# apt-get upgrade

Updated kernel packages that fix several bugs, while adding an enhancement are now available for Red Hat Enterprise Linux 4.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

These updated packages fix the following bugs:

* the GNU libc stub resolver is a minimal resolver that works with Domain Name System (DNS) servers to satisfy requests from applications for names. The GNU libc stub resolver did not specify a source UDP port, and therefore used predictable port numbers. This could have make DNS spoofing attacks easier.

The Linux kernel has been updated to implement random UDP source ports where none are specified by an application. This allows applications, such as those using the GNU libc stub resolver, to use random UDP source ports, helping to make DNS spoofing attacks harder.

* A set of patches detailed as "sys_times: Fix system unresponsiveness during many concurrent invocation of sys_times()" and "Minor code cleanup to sys_times() call" introduced regression which caused a kernel panic under high load. These patches were reverted in the current release.

* A process could hang in an uninterruptible state while accessing application data files due to race condition in asynchronous direct I/O system calls.

* USB devices would not be detected on a PowerEdge R805 system. USB devices are now able to be detected on the aforementioned system with this update.

Further, these updated packages add the following enhancement:

* Added HDMI support for AMD ATI chipsets RS780, RV610, RV620, RV630, RV635, RV670 and RV770.

How do I upgrade my kernel on RHEL 4.x?

Type the following command as root user:
# up2date -uf