[opensuse] Running old version
I have a quick question for folks who run old versions of oS. I know that there are a lot of folks (myself included) who are running older versions of oS, because they don't really have a reason to upgrade - everything is working properly and has been configured over the course of many months to run smoothly and exactly the way we want/need it to. My question is - how do other folks handle security vulnerabilities like this current bash vulnerability? Since oS isn't releasing patches for 11.4, 12.2, etc. anymore, how do you get around that? Just leave your machines vulnerable? Or compile your own patches? Chris -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Chris, et al -- ...and then Christopher Myers said... % % I have a quick question for folks who run old versions of oS. I know ... % of many months to run smoothly and exactly the way we want/need it to. I'm stuck there, but because I chose SuSE for my Plesk build but Plesk hasn't yet come out with a modern version. I'm not looking forward to it, but I think I'm going to have to switch to their RH variant because it's current. Bummer, but I'm getting *more* busy in life, not less. % % My question is - how do other folks handle security vulnerabilities % like this current bash vulnerability? Since oS isn't releasing patches % for 11.4, 12.2, etc. anymore, how do you get around that? Just leave % your machines vulnerable? Or compile your own patches? So far it's been "compile my own", and I do *not* have the time for this stuff :-( I'd love to stick with SuSE, but I need something better! % % Chris HAND :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 25/09/2014 15:48, Christopher Myers a écrit :
My question is - how do other folks handle security vulnerabilities like this current bash vulnerability? Since oS isn't releasing patches for 11.4, 12.2, etc. anymore, how do you get around that? Just leave your machines vulnerable? Or compile your own patches?
Chris
for some years, I had to run an old server with an old debian install, I couldn't update because the config was awfull, I say I managed it because the pevious manager left :-( It have well run for 3 years like this before I could find time to rebuild the hole system (including hardware), but I monitored it pretty closely and never found any suspect activity (in fact nearly no activity at all :-) jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Christopher Myers wrote on 2014-09-25 08:48 (GMT-0500):
how do other folks handle security vulnerabilities like this current bash vulnerability? Since oS isn't releasing patches for 11.4, 12.2, etc. anymore, how do you get around that? Just leave your machines vulnerable? Or compile your own patches?
11.4 is Evergreen, which already has an update available for the more troubling initial bash problem. -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Sep 25, 2014 at 9:48 AM, Christopher Myers <cmyers@mail.millikin.edu> wrote:
I have a quick question for folks who run old versions of oS. I know that there are a lot of folks (myself included) who are running older versions of oS, because they don't really have a reason to upgrade - everything is working properly and has been configured over the course of many months to run smoothly and exactly the way we want/need it to.
My question is - how do other folks handle security vulnerabilities like this current bash vulnerability? Since oS isn't releasing patches for 11.4, 12.2, etc. anymore, how do you get around that? Just leave your machines vulnerable? Or compile your own patches?
Chris
For bash / shellshock, why do you think you're vulnerable? AIUI, it's not an escalation vulnerability, it just allows apps to get out of a sandbox. Thus if you have a webserver on your machine, it might let a webclient get out of the apache setup and into machine proper. They would still only have the privileges of Apache (or whatever user you run your webserver as.) Are you running any services on those old machines that serve the Internet? If the only service is ssh, then the user has to log into ssh before trying anything. If you let those ssh users have an unlimited shell already, I don't think the vulnerability will give them any new way to penetrate your machine. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/25/2014 05:37 PM, Greg Freemyer wrote:
On Thu, Sep 25, 2014 at 9:48 AM, Christopher Myers <cmyers@mail.millikin.edu> wrote:
I have a quick question for folks who run old versions of oS. I know that there are a lot of folks (myself included) who are running older versions of oS, because they don't really have a reason to upgrade - everything is working properly and has been configured over the course of many months to run smoothly and exactly the way we want/need it to.
My question is - how do other folks handle security vulnerabilities like this current bash vulnerability? Since oS isn't releasing patches for 11.4, 12.2, etc. anymore, how do you get around that? Just leave your machines vulnerable? Or compile your own patches?
Chris
For bash / shellshock, why do you think you're vulnerable?
AIUI, it's not an escalation vulnerability, it just allows apps to get out of a sandbox.
Perhaps into another, enclosing sandbox.
Thus if you have a webserver on your machine, it might let a webclient get out of the apache setup and into machine proper. They would still only have the privileges of Apache (or whatever user you run your webserver as.)
And if you run the Apache server chroot'd then even that is just in another sandbox. If you've taken care with the setup there is going to be a very limited set of executables and libraries available. The main problem with chroot'ing is that it does little to nothing for the network side of things. If your chroot'd space has a PHP or Perl executable to support the CGI then the hacker could use those make a network move. Of course the server could be running on a very stripped down virtual host with a virtual IP address and very aggressive fire-walling. But the major problem is the database. Most web based applications are backed by a database. Perhaps it runs on another machine and access via network connection. After the hack it can still be accessed. But please do run the server chroot'd or in a FM as a baseline measure. It may not be absolute security but it is another layer. There's no point in making things easy for the hackers.
Are you running any services on those old machines that serve the Internet?
If the only service is ssh, then the user has to log into ssh before trying anything. If you let those ssh users have an unlimited shell already, I don't think the vulnerability will give them any new way to penetrate your machine.
Indeed. SSH penetration is another, quite different, can of worms. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
All true, and good points :) I wasn't thinking so much specifically regarding this particular bash bug, but the broader issue of patches in general (heartbleed, et al.) I'd considered going with 11.4 evergreen when I did the server build, but at the time couldn't get it to work on my box for whatever reason; it would make it about halfway through booting off of the media (dvd|network|flash all the same) and then the box would totally freeze regardless of what fixes I attempted from Google, what hardware was/wasn't installed, etc., so I had to do 12.2 (which worked fine.) I've done a ton of customization to the box and have it running very sweetly now, and don't have a compelling reason to upgrade it to the new evergreen. It is mostly secured away from the nastier parts of the internet, so most patches aren't really necessary on it, but I was just curious what others were doing when they were in situations similar to mine. Chris -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 26.09.2014 um 15:41 schrieb Christopher Myers:
All true, and good points :) I wasn't thinking so much specifically regarding this particular bash bug, but the broader issue of patches in general (heartbleed, et al.)
I'd considered going with 11.4 evergreen when I did the server build, but at the time couldn't get it to work on my box for whatever reason; it would make it about halfway through booting off of the media (dvd|network|flash all the same) and then the box would totally freeze regardless of what fixes I attempted from Google, what hardware was/wasn't installed, etc., so I had to do 12.2 (which worked fine.) I've done a ton of customization to the box and have it running very sweetly now, and don't have a compelling reason to upgrade it to the new evergreen.
It is mostly secured away from the nastier parts of the internet, so most patches aren't really necessary on it, but I was just curious what others were doing when they were in situations similar to mine.
Honestly? I would build the required patches in OBS for myself. I started that back in 11.1 and let other's get it as well and ooops, it was called Evergreen. But actually. Not sure what the nastier parts of the Internet are. So it is a case by case decision. If you cannot fix it yourself and cannot make sure to avoid the possibility in the first place you are in trouble and really should update. At some point you'll have the pain anyway. Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (7)
-
Anton Aylward -
Christopher Myers -
David T-G -
Felix Miata -
Greg Freemyer -
jdd -
Wolfgang Rosenauer