Steve Hanson's blog

GHOST Busters!

You may have seen reference to the GHOST exploit that was recently announced.  You also may have seen some random reboots of our servers, taking you out of commission for 10 minutes or so.  We're patching all of our systems against this exploit (Just about done now) - this is  a fairly serious one that allows arbitrary script execution on servers, and is not really all that hard to do comparatively.  And unfortunately since it's a glibc issue, we really need to reboot all of the servers to completely protect.  So -- if yo

POODLE Attack!

You may have heard the recent information about the POODLE attack. Essentially this is an issue where SSL connections may revert to the known-unsafe SSLV3 protocol. There's really no fix for SSL V3, but there IS a cure that amounts to disabling the fallback to older SSL protocols such as V3. We're going to be doing two things about this:

  1. We are in the process of rolling out the recent Openssl fix that uses TLS_FALLBACK_SCSV to stop the rollback to older SSL protocols
  2. We are in the process of setting up to make our SSL servers no longer accept EITHER SSL2 or SSL3 as protocols.   This is really the right thing to do, but it WILL mean that people using browsers that do not understand recent secure connection protocols will be in trouble.  This specifically includes old versions of IE. The upshot of this is that once this is completed, people on Windows XP will no longer be able to make secure connections to our servers (with IE).  We see this as a minor issue compared to the possibility of compromised security.  We are NOT doing this step in the near future, but will be doing it as a normal consequence of a larger operating system upgrade some time in the next few months.

More details on POODLE below the fold:

Drupal 7.32

It's security update day in Drupal land.  Drupal 7.31 has a fairly serious SQL Injection vulnerability, which is fixed in Drupal 7.32. At the moment we're testing Drupal 7.32 (already did this site) and will be rolling it out on sites that are under maintenance for us as the day goes on.

This is in fact a REALLY serious problem and exploits are already in the wild.

We strongly advise that people do this upgrade.

Bash Security Issue - update

Update -

New versions of bash were released overnight that fix the remaining security flaws in the shell. We are in the process of rolling out the second patech to all of our servers and will be finished some time around 10 AM Central Time.

Some of you may have seen the news yesterday about a serious bug in bash allowing code injection.  We are currently in the process of applying updates to all of our servers for this security issue.  Unfortunately it has been discovered that the current available updates are only a partial solution.  We are installing the partial upgrade and looking into some security workarounds until such time that we receive new patches from CentOS.  We're working to continue to provide security to our customers.

What We Do

Cruiskeen Consulting is a general Internet consulting company, and we do multiple things. Primarily we provide high-capacity custom hosting for people who need high-performance reliable hosting for their Content Management Systems sites.  We primarily work with Drupal, and also do Drupal consulting and web design. Our hosting is tuned to be optimized for Drupal use, although it is also very effective for Wordpress sites.

Our servers are set up for the Drupal developer, and have Drush, git, and other useful services pre-installed.  We will happily work with you to provide other custom services for your site, such as Varnish, Apache Solr, and memcached. Our servers all use the APC PHP cache and our default MySQL servers are set up to be successful for using Drupal.


Subscribe to RSS - Steve Hanson's blog