|
|
| Line 1: |
Line 1: |
| | {{DISPLAYTITLE: Upgrade CentOS to have the latest patches}} | | {{DISPLAYTITLE: Upgrade CentOS to have the latest patches}} |
| | | | |
| − | = benefit to have the latest patches = | + | = Benefit to have the latest patches = |
| | + | * Obtain the CentOS security updates |
| | * Patch recent vulnerabilities | | * Patch recent vulnerabilities |
| | * Patch SNMP core files | | * Patch SNMP core files |
| Line 10: |
Line 11: |
| | | | |
| | = Details = | | = Details = |
| − | The impact of this vulnerability on TelcoBridges products depends on their configuration. The vulnerability may only be triggered through requests for domain name resolution. Therefore, only units that enable such services may be exposed to the issue.
| |
| | | | |
| | = Software Versions and Fixes = | | = Software Versions and Fixes = |
| − | The TelcoBridges CentOS 5 repository has been updated with the latest glibc version. Services that use glibc must be restarted. Because glibc is thoroughly used in the Linux operating system, it is highly recommended to reboot the unit.
| |
| | | | |
| | = Update procedure = | | = Update procedure = |
| Line 30: |
Line 29: |
| | * Click on the 'Apply action' button | | * Click on the 'Apply action' button |
| | * Repeat the process for all hosts listed | | * Repeat the process for all hosts listed |
| − |
| |
| − | == Command line interface ==
| |
| − |
| |
| − | * login with root account
| |
| − | [root@TB011107 ~]# uname -m
| |
| − | x86_64
| |
| − | * If the result is not "x86_64", [[Support:Contacting TelcoBridges technical support|please contact TelcoBridges]] support, otherwise you can proceed with either method below.
| |
| − | * Follow one of the two options depending if Internet is accessible from the unit
| |
| − |
| |
| − | === Option #1 - TMG unit or Linux server '''with access to Internet''' (i.e. with DNS configured) ===
| |
| − |
| |
| − | * update OS packages with yum
| |
| − | yum clean all
| |
| − | yum update
| |
| − | * reboot the unit
| |
| − | reboot
| |
| − |
| |
| − | === Option #2 - TMG unit or Linux server '''without access to Internet''' ===
| |
| − | * download the following packages to your PC:
| |
| − | ** http://repo.telcobridges.com/centos/5.7/updates/x86_64/RPMS/glibc-2.5-123.el5_11.1.x86_64.rpm
| |
| − | ** http://repo.telcobridges.com/centos/5.7/updates/x86_64/RPMS/glibc-common-2.5-123.el5_11.1.x86_64.rpm
| |
| − | ** http://repo.telcobridges.com/centos/5.7/updates/x86_64/RPMS/glibc-devel-2.5-123.el5_11.1.x86_64.rpm
| |
| − | ** http://repo.telcobridges.com/centos/5.7/updates/x86_64/RPMS/glibc-headers-2.5-123.el5_11.1.x86_64.rpm
| |
| − | ** http://repo.telcobridges.com/centos/5.7/updates/x86_64/RPMS/nscd-2.5-123.el5_11.1.x86_64.rpm
| |
| − | * Using WinSCP or similar tool, upload the files to the TMG unit using the root account
| |
| − | * login with root account
| |
| − | * Install packages
| |
| − | yum localinstall glibc-2.5-123.el5_11.1.x86_64.rpm \
| |
| − | glibc-common-2.5-123.el5_11.1.x86_64.rpm \
| |
| − | glibc-devel-2.5-123.el5_11.1.x86_64.rpm \
| |
| − | glibc-headers-2.5-123.el5_11.1.x86_64.rpm \
| |
| − | nscd-2.5-123.el5_11.1.x86_64.rpm
| |
| − | * '''Note''': that operation might take a long time since yum will probably experience timeouts when trying to access the external repositories.
| |
| − | * Reboot the unit
| |
| − | reboot
| |
| − |
| |
| − | = How to verify if the vulnerability is fixed? =
| |
| − | * login with root account
| |
| − | * execute the following to create a test script
| |
| − | cat > rhel-GHOST-test.sh << FOF
| |
| − | #!/bin/bash
| |
| − | # rhel-GHOST-test.sh - GHOST vulnerability tester. Only for CentOS/RHEL based servers. #
| |
| − | # Version 3
| |
| − | # Credit : Red Hat, Inc - https://access.redhat.com/labs/ghost/ #
| |
| − | echo "Installed glibc version(s)"
| |
| − |
| |
| − | rv=0
| |
| − | for glibc_nvr in \$( rpm -q --qf '%{name}-%{version}-%{release}.%{arch}\n' glibc ); do
| |
| − | glibc_ver=\$( echo "\$glibc_nvr" | awk -F- '{ print \$2 }' )
| |
| − | glibc_maj=\$( echo "\$glibc_ver" | awk -F. '{ print \$1 }')
| |
| − | glibc_min=\$( echo "\$glibc_ver" | awk -F. '{ print \$2 }')
| |
| − |
| |
| − | echo -n "- \$glibc_nvr: "
| |
| − | if [ "\$glibc_maj" -gt 2 -o \( "\$glibc_maj" -eq 2 -a "\$glibc_min" -ge 18 \) ]; then
| |
| − | # fixed upstream version
| |
| − | echo 'not vulnerable'
| |
| − | else
| |
| − | # all RHEL updates include CVE in rpm %changelog
| |
| − | if rpm -q --changelog "\$glibc_nvr" | grep -q 'CVE-2015-0235'; then
| |
| − | echo "not vulnerable"
| |
| − | else
| |
| − | echo "vulnerable"
| |
| − | rv=1
| |
| − | fi
| |
| − | fi
| |
| − | done
| |
| − |
| |
| − | if [ \$rv -ne 0 ]; then
| |
| − | cat <<EOF
| |
| − |
| |
| − | This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>
| |
| − | Please refer to <https://access.redhat.com/articles/1332213> for remediation steps
| |
| − | EOF
| |
| − | fi
| |
| − |
| |
| − | exit \$rv
| |
| − |
| |
| − | FOF
| |
| − | * Execute the script
| |
| − | chmod +x rhel-GHOST-test.sh
| |
| − | ./rhel-GHOST-test.sh
| |
| − | * '''You should not see the 'vulnerable' string displayed'''
| |
| − |
| |
| − |
| |
| − | = Verify system timezone =
| |
| − | We found that some systems got the timezone reset to EST time after the GHOST patch procedures
| |
| − | * Verify the timezone on the system
| |
| − | date
| |
| − |
| |
| − | If it differs from the original, reset the timezone using the [[TMG:Change_Time_Zone|tbtimezone]] script.
| |
| − |
| |
| − |
| |
| − | = References =
| |
| − | * https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt
| |
| − | * https://access.redhat.com/articles/1332213
| |
| − | * http://www.cyberciti.biz/faq/cve-2015-0235-patch-ghost-on-debian-ubuntu-fedora-centos-rhel-linux/
| |
The operator can use one of the two methods available: GUI/WebPortal or command line interface.
