Re: [Dhis2-users] security vulnerability detected - dhis upgrade required

2013-12-25 Thread Jason Pickering 
Hi Brajesh,

Lars's mail could have provided a bit more explicit advice I think, but as
you can see in Lars's email, it is stated

"We have upgraded dhis version 2.12, 2.13 and snapshot/trunk with the new
version."

I think the clear message is that anyone using DHIS2 should upgrade to the
latest versions 2.12 or 2.13. Older versions of DHIS2 will be subject to
this exploit. It is also described in a bit more detail
here
.

The names do not have to be numerical only either. In order to be sure that
you are not suffering from this, you can invoke

"ps -ef | grep tocmat" to see all the processes which are running with the
tomcat user. If you are using a different username other than "tomcat6" or
"tomcat7" you should replace the username with the actual name.
Alternatively, you can do "ps -ef | grep tmp" to try and see if there is
anything running which should not be running from the "/tmp" directory. You
can the easily kill the process, but it will spawn again by itself. After
the upgrade to the latest version however, it should not reappear.

If you need a patch for your own branch, as Lars points out, it has been
committed to trunk
here
.

Best regards,
Jason




On Wed, Dec 25, 2013 at 7:39 PM, Brajesh Murari wrote:

> Dear Lars,
>
> Its great news for DHIS2 regular users and system administrators, that one
> of big security vulnerability has been found/detected and remedial action
> can be taken to resolve the problem. But i am not that much sure that most
> of the implementers would like to upgrade live application on their server
> only for this problem, who are using DHIS 2.12 build as an assumption as
> a very good stable release in series so far since they are using DHIS 2.
> Its good that application should be upgraded DHIS 2.12 to DHIS 2.13 on live
> servers, but at the same time scrum masters should also release some
> stable patches releases as well for DHIS 2.12 release for fixing above
> stated like problems, that will prevent unnecessary wastage of time and
> money in system application version up-gradation only for fixing miner
> problem. Because in normal and general software implementation practices,
> we use to release patches to fix these types of issues, at the same time
> implementers expectations are the same.
>
> Regards
> Brajesh Murari
>
>
> 
> Life Is A Collection of Poems.
>
>
>   On Wednesday, 25 December 2013 6:54 PM, Lars Helge Øverland <
> larshe...@gmail.com> wrote:
>  Hi,
>
> we have recently detected a security exploit on a couple of servers
> running dhis. The exploit seems to result in shell access with
> permissions of the user which is running tomcat.
>
>
> *Symptoms* of the exploit are presence of:
>
> - a file /tmp/fake.cfg.
> - various files with numeric-only names in /tmp directory.
> - massive outgoing network traffic (> 200 Gb per day).
>
> The files will be owned by the user running tomcat. The outgoing network
> traffic is likely to be part of denial-of-service attacks against other
> servers.
>
>
> *Cause* of the exploit is likely to be one or more weaknesses in Struts
> 2, which is a web framework used in dhis. These weaknesses have been fixed
> in Struts version 2.3.15.1. We have upgraded dhis version 2.12, 2.13 and
> snapshot/trunk with the new version. You can download the new WAR files
> from dhis2.org/downloads as usual.
>
>
> *To remove* the exploit you should do the following:
>
> - stop tomcat
> - upgrade your dhis version (to 2.12 or 2.13)
> - remove all of the above mentioned files from /tmp (all owned by tomcat
> user).
> - kill all processes owned by the tomcat user, or simply reboot the server.
> - delete all files and folders under /work/Catalina
> (not confirmed but to be on the safe side).
>
> If you have been running tomcat as root (sudo) then a full operating
> system re-install is recommended. There is no way to completely verify what
> an exploit can do with full permissions. Running tomcat as root is strictly
> discouraged in any case.
>
>
> *Summary*
>
> - In any case you should upgrade your dhis version, whether you see the
> symptoms or not.
> - If you see the symptoms but have been running dhis with regular,
> non-root privileges, you will be fine by following the removal steps.
> - If you see the symptoms and have been running dhis with root privileges,
> you should do a clean server installation.
>
>
> regards,
>
> Lars
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ___
> Mailing list: https://launchpad.net/~dhis2-users
> Post to: dhis2-users@lists.launchpad.net
> Unsubscribe : https://launchpad.net/~dhis2-users
> More help  : https://help.launchpad.net/ListHelp
>
>
>
> ___
> Ma

[Dhis2-users] Use of DHIS2 to evaluate quality of care provided by health institutions

2013-12-25 Thread MUKTAR GADANYA 
Dear colleagues,

I am writing to ask if anyone here has used/configured, or knows someone
who has used/configured, DHIS2 to evaluate quality of healthcare provided
by health facilities. Any general sharing of experience and/or some
link(s)/document(s) will be very appreciated.

Thank you and,
Best regards,

Muktar


Dr. Muktar A. Gadanya, *MBBS,* *MSc (London), DLSHTM, MWACP, FMCPH, MFR*
Consultant Public Health Physician/Lecturer,
Department of Community Medicine,
Aminu Kano Teaching Hospital /Bayero University,
PMB 3452,
Kano,
Nigeria.
Email: gada...@gmail.com
LinkedIn: http://ng.linkedin.com/pub/Muktar-gadanya/13/228/722
Twitter: @gadanya
Skype: mgadanya

" Far and away the best prize that life offers is the chance to work hard
at a work worth doing"- Theodore Roosevelt
___
Mailing list: https://launchpad.net/~dhis2-users
Post to : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help   : https://help.launchpad.net/ListHelp

Re: [Dhis2-users] Fwd: [AEHIN-ORG] Meta Data & Data Standards for Health Domain (Draft) from MoH, Gov. of India

2013-12-25 Thread wanjala pepela 
That is nice and hope will give some inputs
 
PEPELA WANJALA
MINISTRY OF HEALTH HEADQUARTERS
HEALTH INFORMATION SYSTEM
AFYA HOUSE, HIS LG 37
P.O BOX 30016, NAIROBI, KENYA
TEL: +254 (020) 2717077 EXT 45097
CELL: +254 (0) 722375633 or 0202033363
EMAIL: wanjal...@yahoo.com
    h...@health.go.ke
 "HealthInformation Management - Making a World of Difference”
 



On Sunday, December 22, 2013 7:41 AM, Knut Staring  wrote:
 
Sent from my mobile
-- Forwarded message --
From: "Jai Ganesh" 
Date: 22 Dec 2013 01:33
Subject: [AEHIN-ORG] Meta Data & Data Standards for Health Domain (Draft) from 
MoH, Gov. of India
To:  
Cc: 


Dear All,
The Ministry of Health and Family Welfare, Government of India has made 
available the draft version of the 'Meta Data & Data Standards for Health' on 
public domain for review, comments and suggestions.

More information is available @
Draft Report on Meta Data and Data Standards (MDDS)

Regards
Jai

--
A.U. Jai Ganesh

India.
Vice-chair, Working Group on Health and Medical Informatics Education, 
International Medical Informatics Association (IMIA)
__
* To search the archives of this moderated mailing list, go to 
http://list.wpro.who.int/archives/AEHIN-ORG.html
* To send a message to all subscribers, send an email to 
aehin-...@list.wpro.who.int.
* To unsubscribe from the mailing list, send an email to 
lists...@list.wpro.who.int with no subject and in body of the message type: 
SIGNOFF AEHIN-ORG
* To subscribe again, send an email to lists...@list.wpro.who.int with 
no subject and in body of the message type:  SUBSCRIBE AEHIN-ORG
* To provide feedback on the mailing list and suggestions for 
improvements, send an email to: aehin-org-requ...@list.wpro.who.int.  
___
Mailing list: https://launchpad.net/~dhis2-users
Post to     : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help   : https://help.launchpad.net/ListHelp___
Mailing list: https://launchpad.net/~dhis2-users
Post to : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help   : https://help.launchpad.net/ListHelp

Re: [Dhis2-users] security vulnerability detected - dhis upgrade required

2013-12-25 Thread Brajesh Murari 
Dear Lars,

Its great news for DHIS2 regular users and system administrators, that one of 
big security vulnerability has been found/detected and remedial action can be 
taken to resolve the problem. But i am not that much sure that most of the 
implementers would like to upgrade live application on their server only for 
this problem, who are using DHIS 2.12build as an assumption as a very good 
stable release in series so far since they are using DHIS 2. Its good that 
application should be upgraded DHIS 2.12 to DHIS 2.13 on live servers, but at 
the same time scrum masters should also release some stable patches releases as 
well for DHIS 2.12 release for fixingabove stated like problems, that will 
prevent unnecessary wastage of time and money in system application version 
up-gradation only for fixing miner problem. Because in normal and general 
software implementation practices, we use to release patches to fix these types 
of issues, at the same time implementers
 expectations are the same. 


Regards 

Brajesh Murari


Life Is A Collection of Poems.



On Wednesday, 25 December 2013 6:54 PM, Lars Helge Øverland 
 wrote:
 
Hi,

we have recently detected a security exploit on a couple of servers running 
dhis. The exploit seems to result in shell access with permissions of the user 
which is running tomcat.


Symptoms of the exploit are presence of:

- a file /tmp/fake.cfg.
- various files with numeric-only names in /tmp directory.
- massive outgoing network traffic (> 200 Gb per day).

The files will be owned by the user running tomcat. The outgoing network 
traffic is likely to be part of denial-of-service attacks against other servers.


Cause of the exploit is likely to be one or more weaknesses in Struts 2, which 
is a web framework used in dhis. These weaknesses have been fixed in Struts 
version 2.3.15.1. We have upgraded dhis version 2.12, 2.13 and snapshot/trunk 
with the new version. You can download the new WAR files from 
dhis2.org/downloads as usual.


To remove the exploit you should do the following:

- stop tomcat
- upgrade your dhis version (to 2.12 or 2.13)
- remove all of the above mentioned files from /tmp (all owned by tomcat user).
- kill all processes owned by the tomcat user, or simply reboot the server.
- delete all files and folders under /work/Catalina (not 
confirmed but to be on the safe side).

If you have been running tomcat as root (sudo) then a full operating system 
re-install is recommended. There is no way to completely verify what an exploit 
can do with full permissions. Running tomcat as root is strictly discouraged in 
any case.


Summary

- In any case you should upgrade your dhis version, whether you see the 
symptoms or not.
- If you see the symptoms but have been running dhis with regular, non-root 
privileges, you will be fine by following the removal steps.
- If you see the symptoms and have been running dhis with root privileges, you 
should do a clean server installation.


regards,

Lars




















___
Mailing list: https://launchpad.net/~dhis2-users
Post to     : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help   : https://help.launchpad.net/ListHelp___
Mailing list: https://launchpad.net/~dhis2-users
Post to : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help   : https://help.launchpad.net/ListHelp

[Dhis2-users] security vulnerability detected - dhis upgrade required

2013-12-25 Thread Lars Helge Øverland 
Hi,

we have recently detected a security exploit on a couple of servers running
dhis. The exploit seems to result in shell access with permissions of the
user which is running tomcat.


*Symptoms* of the exploit are presence of:

- a file /tmp/fake.cfg.
- various files with numeric-only names in /tmp directory.
- massive outgoing network traffic (> 200 Gb per day).

The files will be owned by the user running tomcat. The outgoing network
traffic is likely to be part of denial-of-service attacks against other
servers.


*Cause* of the exploit is likely to be one or more weaknesses in Struts 2,
which is a web framework used in dhis. These weaknesses have been fixed in
Struts version 2.3.15.1. We have upgraded dhis version 2.12, 2.13 and
snapshot/trunk with the new version. You can download the new WAR files
from dhis2.org/downloads as usual.


*To remove* the exploit you should do the following:

- stop tomcat
- upgrade your dhis version (to 2.12 or 2.13)
- remove all of the above mentioned files from /tmp (all owned by tomcat
user).
- kill all processes owned by the tomcat user, or simply reboot the server.
- delete all files and folders under /work/Catalina
(not confirmed but to be on the safe side).

If you have been running tomcat as root (sudo) then a full operating system
re-install is recommended. There is no way to completely verify what an
exploit can do with full permissions. Running tomcat as root is strictly
discouraged in any case.


*Summary*

- In any case you should upgrade your dhis version, whether you see the
symptoms or not.
- If you see the symptoms but have been running dhis with regular, non-root
privileges, you will be fine by following the removal steps.
- If you see the symptoms and have been running dhis with root privileges,
you should do a clean server installation.


regards,

Lars
___
Mailing list: https://launchpad.net/~dhis2-users
Post to : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help   : https://help.launchpad.net/ListHelp