Yesterday we received and applied a new security update contained in openssl-0.9.8l_2 designed to address “man in the middle attacks” which allows attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL.
As part of the upgrade, the shared object libssl.so.5 was deleted and replaced by libssl.so.7. Unfortunately this caused a number of services that depended on libssl.so.5 to fail. Services that were disrupted included email services, the restarting of apache2, and other services that make use of SSL or TLS connections.
Fortunately this problem was fixed by rebuilding all applications that depend on OpenSSL so that they pick up the new shared object. These applications include:
- Apache2
- Qmail
- SpamAssassin
- ClamAV
- Curl
- gnome-vfs
- gnutls
- neon28
- nmap
- ntp
- openldap-client
- p5-Crypt-OpenSSL-Bignum
- p5-Crypt-OpenSSL-RSA
- p5-Crypt-OpenSSL-Random
- p5-Crypt-SSLeay
- p5-Net-SSLeay
- php5-curl
- php5-ftp
- php5-imap
- php5-openssl
- proftpd
- soup
- subversion
- squirrelmail
- wget
We believe we have identified and rebuilt all applications impacted and we are continueing to monitor the situation to identify other possible failures.
UPDATE: 01/16/2009
We have completed a sweep of all of shared objects using ldd. This process identified a few more rebuilds (not listed above) to some packages not in general production use. The upgrade of OpenSSL is now complete.
WordPress released a security hardening release version 2.8.5. This update was applied on November 1. According to the WordPress Blog:
As you know over the past couple of months we have been working on the new features for WordPress 2.9. We have also been working on trying to make WordPress as secure as possible and during this process we have identified a number of security hardening changes that we thought were worth back-porting to the 2.8 branch so as to get these improvements out there and make all your sites as secure as possible.
The headline changes in this release are:
- A fix for the Trackback Denial-of-Service attack that is currently being seen.
- Removal of areas within the code where php code in variables was evaluated.
- Switched the file upload functionality to be whitelisted for all users including Admins.
- Retiring of the two importers of Tag data from old plugins.
We would recommend that all sites are upgraded to this new version of WordPress to ensure that you have the best available protection.
In addition, a security problem was discovered in the graphics library that WordPress uses for fast creation of images. Specifically, a remote buffer overflow vulnerability. The core module GD (gd-2.0.35_2,1) was updated on November 9. The PHP module that utilizes GD (php5-gd-5.2.11_2) was updated today.
If your hosting provider is not keeping up to date with their WordPress updates your website may be at risk. We invite you to take a look at our services and make the switch today.
This morning we received a security warning for php5-5.2.10
Affected package: php5-5.2.10
Type of problem: php5 — Multiple security issues.
Reference: <http://portaudit.FreeBSD.org/437a68cf-b752-11de-b6eb-00e0815b8da8.html>
Since we received the entire 5.2.11 release a day or two ago we went ahead and upgraded the entire php installation. The following modules were upgraded:
- pecl-fribidi-1.0
- php5-5.2.11_1
- php5-bcmath-5.2.11_1
- php5-bz2-5.2.11_1
- php5-calendar-5.2.11_1
- php5-ctype-5.2.11_1
- php5-curl-5.2.11_1
- php5-dba-5.2.11_1
- php5-dbase-5.2.11_1
- php5-dom-5.2.11_1
- php5-exif-5.2.11_1
- php5-ftp-5.2.11_1
- php5-gd-5.2.11_1
- php5-gettext-5.2.11_1
- php5-iconv-5.2.11_1
- php5-imap-5.2.11_1
- php5-mbstring-5.2.11_1
- libltdl-2.2.6a_1
- php5-mcrypt-5.2.11_1
- php5-mhash-5.2.11_1
- php5-mssql-5.2.11_1
- php5-mysql-5.2.11_1
- php5-mysqli-5.2.11_1
- php5-openssl-5.2.11_1
- php5-pcre-5.2.11_1
- php5-pdo-5.2.11_1
- php5-pdo_sqlite-5.2.11_1
- php5-posix-5.2.11_1
- php5-session-5.2.11_1
- php5-simplexml-5.2.11_1
- php5-soap-5.2.11_1
- php5-spl-5.2.11_1
- php5-sqlite-5.2.11_1
- php5-tokenizer-5.2.11_1
- php5-xml-5.2.11_1
- php5-xmlreader-5.2.11_1
- php5-xmlwriter-5.2.11_1
- php5-zip-5.2.11_1
- php5-zlib-5.2.11_1
The recent PHP update left the extensions.ini file sorted. Unfortunately some of the extensions contain dependencies that result in undeclared forward references. The .ini file was reordered to accommodate the build deficiency.
PHP Warning: PHP Startup: Unable to load dynamic library ‘/usr/local/lib/php/20060613/mysqli.so’ – /\
usr/local/lib/php/20060613/mysqli.so: Undefined symbol “spl_ce_RuntimeException” in Unknown on line 0
PHP Startup: Unable to load dynamic library ‘/usr/local/lib/php/20060613/soap.so’ – /us\
r/local/lib/php/20060613/soap.so: Undefined symbol “ps_globals” in Unknown on line 0
In addition, jpeg-7 was rebuilt.
PHP Startup: Unable to load dynamic library ‘/usr/local/lib/php/20060613/gd.so’ – Share\
d object "libjpeg.so.9" not found, required by "gd.so" in Unknown on line 0
We have upgraded our PHP installation to the latest release. The following modules have been updated:
- php5-5.2.10
- php5-bcmath-5.2.10
- php5-bz2-5.2.10
- php5-calendar-5.2.10
- php5-ctype-5.2.10
- php5-curl-5.2.10
- php5-dba-5.2.10
- php5-dbase-5.2.10
- php5-dom-5.2.10
- php5-exif-5.2.10
- php5-ftp-5.2.10
- php5-gd-5.2.10
- php5-gettext-5.2.10
- php5-iconv-5.2.10
- php5-imap-5.2.10
- php5-mbstring-5.2.10
- php5-mcrypt-5.2.10
- php5-mhash-5.2.10
- php5-mssql-5.2.10
- php5-mysql-5.2.10
- php5-mssql-5.2.10
- php5-mysqli-5.2.10
- php5-openssl-5.2.10
- php5-pcre-5.2.10
- php5-pdo-5.2.10
- php5-pdo_sqlite-5.2.10
- php5-posix-5.2.10
- php5-session-5.2.10
- php5-simplexml-5.2.10
- php5-soap-5.2.10
- php5-spl-5.2.10
- php5-sqlite-5.2.10
- php5-tokenizer-5.2.10
- php5-xml-5.2.10
- php5-xmlreader-5.2.10
- php5-xmlwriter-5.2.10
- php5-zip-5.2.10
- php5-zlib-5.2.10
- phpMyAdmin-3.2.0.1