RSS Feed
Latest Updates
Jan
21

A vulnerability has been found in Linux kernels >=3.8 which could allow a local user to gain root access if combined with an exploit that allows an attacker to run arbitrary code (e.g. through a web application like Wordpress or Joomla). See below for a list of affected distributions.

CWCS recommends customers immediately update their systems if a patch is available/required. As this requires an update to the kernel, it will be necessary to reboot the server after patching.

CWCS will apply applicable updates for customers with Gold and Platinum management, customers will be notified when the patches have been applied to schedule rebooting. If you are interested in learning more about our management options, please contact your account manager on 0800 1 777 000 / +44 115 740 1234.

Affected Distributions

CentOS

CentOS 5 and 6 are not affected, as they run earlier kernels. CentOS 7 is affected, and will be addressed in a future patch. The CentOS-announce mailing list is the place to keep an eye on for when CentOS release their patch:

https://lists.centos.org/pipermail/centos-announce/2016-January/thread.html

[Update 26/01/2016]: a patch for CentOS 7 is now available:

https://rhn.redhat.com/errata/RHSA-2016-0064.html

Debian

Debian 8 (jessie) is affected, and a patch has already been released:

https://security-tracker.debian.org/tracker/CVE-2016-0728

The fixed kernel version is 3.16.7-ckt20-1+deb8u3. Earlier Debian releases are not affected.

Ubuntu

For Ubuntu, the situation is complicated by their LTS Enablement Stacks:

(https://wiki.ubuntu.com/Kernel/LTSEnablementStack) which allow kernels from later releases to be run on earlier ones.

- Anything before 12.04 (precise) is EOL, but is not affected.

- 12.04 may be affected depending on the kernel version:

     * 12.04 without any linux-generic-lts-* package or with linux-generic-lts-quantal is not affected.

     * 12.04 with linux-generic-lts-raring or linux-generic-lts-saucy are affected, but these kernels are EOL, so will need upgrading to linux-generic-lts-trusty.

     * 12.04 with linux-generic-lts-trusty is affected, fixed in version 3.13.0-76.120~precise1 (http://www.ubuntu.com/usn/usn-2870-2/).

- 12.10 is EOL, but not affected.

- 13.04 and 13.10 are affected, but EOL.

- 14.04 is affected:

     * 14.04 without any linux-lts-* package is affected, fixed in version 3.13.0-76.120 (http://www.ubuntu.com/usn/usn-2870-1/).

     * 14.04 with linux-lts-utopic is affected, fixed in version 3.16.0-59.79~14.04.1 (http://www.ubuntu.com/usn/usn-2873-1/).

     * 14.04 with linux-lts-vivid is affected, fixed in version 3.19.0-47.53~14.04.1 (http://www.ubuntu.com/usn/usn-2871-2/).

     * 14.04 with linux-lts-wily is affected, fixed in version 4.2.0-25.30~14.04.1 (http://www.ubuntu.com/usn/usn-2872-2/).

- 14.10 affected, but EOL.

- 15.04 is affected, fixed in version 3.19.0-47.53 (http://www.ubuntu.com/usn/usn-2871-1/).

- 15.10 is affected, fixed in version 4.2.0-25.30 (http://www.ubuntu.com/usn/usn-2872-1/).


Read more »



Jan
15
OpenSSH Vulnerability (CVE-2016-0777)
Posted by Barry French on 15 January 2016 12:59 PM

On 14th January 2016, a serious bug was discovered in OpenSSH. The bug can allow cryptographic keys to leak across secure connections.

The vulnerability resides only in the client packages and not the versions used by servers. But a maliciously configured server could exploit the bug to obtain the connecting computers private key. This could then be used to perform a ‘man in the middle’ attack, allowing all data to be intercepted.

This bug uses a similar mechanism to the Heartbleed vulnerability of 2014. That bug was much more serious, whereas the OpenSSH bug can only be exploited after a vulnerable end user connects to a maliciously configured server. Regardless, CWCS recommends users take immediate action and update their servers packages to the latest versions using yum and apt-get.

All CWCS managed servers are being patched automatically.

Affected systems:

  • Ubuntu 12.04
  • Ubuntu 14.04
  • Ubuntu 15.04
  • Ubuntu 15.10
  • CentOS 7
  • Debian 7 (Wheezy)
  • Debian 8 (Jessie)

If you think your server/s may be affected and would like assistance to apply the security patch please feel free to contact our support team by phone on 0808 1333 247 or via the ticket system who will be more than happy to assist.


Read more »



Aug
10
CentOS 6.7 + Plesk 12 Compatibility Issue
Posted by Julian Harse on 10 August 2015 02:44 PM

UPDATE 13/08/2015: Odin have now released a fix for this issue: http://download1.parallels.com/Plesk/PP12/12.0/release-notes/parallels-plesk-12.0-for-linux-change-log.html#12018-mu60

On Friday 7 August, CentOS 6.7 was released. Running 'yum update' on any CentOS 6 server should update it to version 6.7. However, this release introduces an incompatibility with Plesk 12. Running 'yum update' on affected servers will fail with dependency errors relating to the ImageMagick package.

Odin are aware of the issue and are working on a fix. In the meantime, we recommend that customers with CentOS 6 servers apply updates as usual to avoid missing out on important security patches. The following command can be used to apply updates but skip the problematic package:

# yum --skip-broken update

Once Odin release a fix for this issue, yum will be able to update ImageMagick to the latest version, at which point 'yum update' should start working as normal once again.

CWCS will manage updates for customers with the Gold and Platinum management service. If you would like to learn more about these service options, please contact our sales team on 0800 1 777 000 (+44 115 740 1234).


Read more »



Aug
5
WordPress 4.2.4 Security and Maintenance Release
Posted by Julian Harse on 05 August 2015 11:12 AM

WordPress 4.2.4 is now available. This is a security release which fixes a number of security vulnerabilities.

CWCS strongly encourage you to update your sites immediately to ensure the security of your websites is not compromised.


Read more »



Apr
20
Ubuntu 10.04 Reaches End of Life Support on 30th April
Posted by Liam Docherty on 20 April 2015 10:28 AM

Ubuntu 10.04 officially ends it support life on 30th April 2015. What does this mean? Well, it’s now unsupported and no patches will be released for the latest security issues and bugs found by the creators.

If you are running Ubuntu 10.04 on your server, your website(s) and other properties are at high risk of being hacked and corrupted.

CWCS advise that all customers running Ubuntu 10 upgrades their operating system. In some cases an upgrade of the OS is possible, but in others, potentially your server has to be upgraded too.

If you're unsure if this applies to you, or for more advice, contact the sales team today to discuss your options. CWCS is able to assist you with the upgrade. 


Read more »