Maintenance 6/5/2015 10PM-3AM

     I have a lot of maintenance work to do today and this evening that involves updates, taking systems down for imaging, reboots to make a new libc and openssl active, and reboots of the main file servers to make various updates in them active.

     Most of the heavy work that will impact customer access to mail, web, etc, will happen after midnight, first the update of the main file servers and then taking mail, ftp, and the more heavily used shell servers down for imaging.  The less used servers that at the time have nobody logged as well as servers that are replicated will be serviced earlier.

     It is suggested that you do not plan any uninterruptible activities between midnight and 1AM on 6/6/2015 as this is the time frame the main file servers will be rebooted and during that time all services will be unavailable for a period of approximately 20 minutes.

Fedora Up as Fedora 22

     The shell server, “fedora.eskimo.com“, is back online, now as Fedora 22.  There are still some operations in progress like the conversion of the yum database to dnf, the new package handler [Probably stands for D)oes N)ot F)unction].

     I really hate it when developers make major changes to what was a good functional system.  Anyway it is what it is.  Those of you wanting to get a look at Fedora 22, there it is.

Fedora Down for Upgrade

      The shell server, fedora.eskimo.com, is presently down for an upgrade from Fedora 21 to Fedora 22.  If you need a modern RedHat based shell server presently, please use either centos7.eskimo.com or scientific7.eskimo.com.

Freak Vulnerability

     Also tested for FREAK, not vulnerable to that attack as well.

     Both of these vulnerabilities exploit capabilities for browser to fall-back to less secure “export” encryption and are mostly an issue with old browsers.

    On this site, we don’t support these flawed encryption standards but you can protect yourself on other sites that do by upgrading your browser to the current version.  Those of you stuck with old versions of Explorer because Microsoft didn’t make newer versions available for older operating systems can either obtain a patch from Microsoft or use an alternative browser like Firefox.

Logjam Attack

We tested our server for vulnerability to the Logjam attack:

     Good News! This site uses strong (2048-bit or better) key exchange parameters and is safe from the Logjam attack.

Limited Hours Today

      I will be leaving around 4:30pm Pacific time to go see Baby Gramps perform at the Northwest Folklife FestivalIf you’ve never seen Baby Gramps perform or never been to the festival you should come.  It’s free, save for trying to find a place to park.

     I’ll probably be back around 7pm or so depending upon whether my son decides to stop and get food or not (hitchin’ a ride rather than trying to find parking myself).  I’ll answer the phones as long as I’m awake tonight so if you’re up past nine feel free to call later.

Venom Patched

     Even though we don’t have any guests with emulated floppies, I’ve applied the Venom patches to kvm, qemu, and xen, provided by Centos.  Just on the off chance we some day want to emulate a floppy.  That isn’t likely to happen unless they get Sparc emulation working on a distribution so we can emulate our old SS-10 and be done with the hardware.

Apache mod_session_crypto

     I’ve added the module “mod_session_crypto” for session encrypting to our Apache 2.4.12 web server.

     I added because I am working on some new features that will involve authenticating on the web against your existing Linux username and password, much as the current web mail does. I wanted this as an additional tool to secure sessions.  It is also available for your use in web applications.

     If there are other Apache features that you might need for an application, please e-mail support@eskimo.com.  If it is doable without compromising security, I will add them.

Venom Vulnerability

     If you’ve read about the venom vulnerability, you need not be concerned with respect to our virtual machines here as we do not use a floppy disk emulation in any of the virtual machines.  A floppy drive isn’t included in the default configuration of the virtual machines provided by any modern version of Linux that I am aware of.

     Beyond that, the network connections are provided by the virtual machine, if you were able to crash them you wouldn’t have a network connection to them any more.  And since it’s crashed, any changes you made won’t be written to the virtual disk.

     There aren’t many uses for floppy drives on physical hardware these days let alone a need to emulate one.  Since network connections are lost upon crashes it makes it not a real useful remote exploit.  I suspect these are the reasons there are no known cases of this particular vulnerability being exploited even though it has existed since 2004.