Greetings, A pretty serious kernel vulnerability that makes it possible for users to snoop on each other's data was announced yesterday, and was patched today in Debian.
https://security-tracker.debian.org/tracker/CVE-2018-12130 Since we run servers with mutually untrusted users that can run arbitrary code, this impacts us pretty heavily. I've upgraded the kernel to 4.9.168-1+deb9u2 and rebooted minsky and shelob, since they allow members to run arbitrary code and present the highest risk. Minsky allows members to run a more limited set of programs via procmail, so I went ahead and patched that tonight as well. The remaining servers aren't as critical since we don't allow members to run anything on them. I'll aim to update them tomorrow night, but there's a chance it'll be Friday or Saturday instead. For gibran (afs), we'll need to spin up a temporary storage volume and move all of our data to lovelace beforehand, which is not as terrible as it sounds (just lots of waiting). I'm going to aim to handle that over the weekend. There will still be some impact, as mysql/postgres aren't redundant and will be offline for a few minutes while gibran reboots. Once we're done with the upgrades I think this is worth making a brief -announce post so all members are aware we're patched.
signature.asc
Description: PGP signature
_______________________________________________ HCoop-Discuss mailing list [email protected] https://lists.hcoop.net/listinfo/hcoop-discuss
