[HCoop-Discuss] Marsh (shell), shelob (web), and minsky (mail) rebooted for 2018-12130 ("Zombieland")

[Clinton Ebadi]

Greetings,

A pretty serious kernel vulnerability that makes it possible for users
to snoop on each other's data was announced yesterday, and was patched
today in Debian.

https://security-tracker.debian.org/tracker/CVE-2018-12130

Since we run servers with mutually untrusted users that can run
arbitrary code, this impacts us pretty heavily.

I've upgraded the kernel to 4.9.168-1+deb9u2 and rebooted minsky and
shelob, since they allow members to run arbitrary code and present the
highest risk. Minsky allows members to run a more limited set of
programs via procmail, so I went ahead and patched that tonight as well.

The remaining servers aren't as critical since we don't allow members to
run anything on them. I'll aim to update them tomorrow night, but
there's a chance it'll be Friday or Saturday instead.

For gibran (afs), we'll need to spin up a temporary storage volume and
move all of our data to lovelace beforehand, which is not as terrible as
it sounds (just lots of waiting). I'm going to aim to handle that over
the weekend. There will still be some impact, as mysql/postgres aren't
redundant and will be offline for a few minutes while gibran reboots.

Once we're done with the upgrades I think this is worth making a brief
-announce post so all members are aware we're patched.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.hcoop.net/pipermail/hcoop-discuss/attachments/20190515/c95ec7e1/attachment.sig>