Blogroll Category: Technology

I read blogs, as well as write one. The 'blogroll' on this site reproduces some posts from some of the people I enjoy reading. There are currently 192 posts from the category 'Technology.'

Disclaimer: Reproducing an article here need not necessarily imply agreement or endorsement!

Issues caused by the latest Imunify360 3.7.3 Beta update

CloudLinux - 4 hours 44 min ago

We’ve received reports that our latest Imunify360 3.7.3 Beta update can cause issues on sites running WordPress. We’ve evaluated the issues and are investigating the cause to prevent it happening in future releases.

Accept our apologies and, please do not update to the latest Imunify360 3.7.3 Beta until we post additional information on the cause of this issue.

Categories: Technology

Announcing our community writing program

Postmark - 7 hours 16 min ago

At Postmark, we’re not just passionate about developing a great product, we feel strongly about providing exceptional customer service as well. But quality service doesn't (and shouldn't) begin and end with a support email or a sales call. It must extend into all that we offer: documentation, transactional email guides, blog posts, and newsletters, as well as community-focused projects like Postmark Labs and our collection of open source tools. We've worked diligently to earn a reputation for providing a quality and dependable product, but we'd like to take that a step further and become a reliable source of information, too. That's why we're excited to announce that we're investing further into our technical content by inviting writers from our community to contribute to our blog.

As with our core product, the Postmark blog aims to be an invaluable resource for developers who want to design, send, and receive better and more reliable emails with their applications. We’re looking for writers who can contribute technical content that covers broad topics related to transactional email such as delivery, reputation, design, tools, and testing, as well as tutorials for using Postmark with specific languages and systems such as Python, Rails, Laravel, Node, and so on. By creating a tutorial for our blog, you will gain the ability to reach our targeted audience while helping us better serve our developer community. Oh, and you'll get paid for it, too.

If you feel your writing and ideas are a good fit for the Postmark blog and its audience, we encourage you to apply! All you have to do is fill out a brief form with your contact information and some writing samples, and then we'll review it and be in touch. We will respond to all applicants regardless of whether we decide to move forward with an assignment or not.

For the full details of how the writing process works, as well as the payment schedule and terms, head over to the application page. We look forward to hearing from you!

Categories: Technology

Imunify360 3.7.3 Beta is here

CloudLinux - Thu, 18/10/2018 - 19:41

We are pleased to announce that a new updated Imunify360 Beta version 3.7.3 is now available.

Tasks

  • DEF-6097: updated Proactive Defense plugin to version 0.5-6.

To install the new Imunify360 Beta version 3.7.3 please follow the instructions in the documentation.

The upgrading is available since Imunify360 version 2.0-19.

To upgrade Imunify360 on CentOS/CloudLinux systems, run the command:

yum update imunify360-firewall --enablerepo=imunify360-testing

To upgrade Imunify360 on Ubuntu systems, rut the command:

apt-get update apt-get install --only-upgrade imunify360-firewall

More information on Imunify360 can be found here.

Categories: Technology

Alt-PHP updated

CloudLinux - Thu, 18/10/2018 - 18:48

New updated Alt-PHP packages are now available for download from our production repository.

Changelog:

alt-php71-7.1.23-1

  • ALTPHP-581: updated alt-php71 to version 7.1.23. Please find the detailed changelog here.

alt-php72-7.2.11-1

  • ALTPHP-581: updated alt-php72 to version 7.2.11. Please find the detailed changelog here.

Update command:

yum groupupdate alt-php
Categories: Technology

Encrypt that SNI: Firefox edition

CloudFlare - Thu, 18/10/2018 - 18:00
 Firefox edition

A couple of weeks ago we announced support for the encrypted Server Name Indication (SNI) TLS extension (ESNI for short). As promised, our friends at Mozilla landed support for ESNI in Firefox Nightly, so you can now browse Cloudflare websites without leaking the plaintext SNI TLS extension to on-path observers (ISPs, coffee-shop owners, firewalls, …). Today we'll show you how to enable it and how to get full marks on our Browsing Experience Security Check.

 Firefox edition

Here comes the night

The first step is to download and install the very latest Firefox Nightly build, or, if you have Nightly already installed, make sure it’s up to date.

When we announced our support for ESNI we also created a test page you can point your browser to https://encryptedsni.com which checks whether your browser / DNS configuration is providing a more secure browsing experience by using secure DNS transport, DNSSEC validation, TLS 1.3 & ESNI itself when it connects to our test page. Before you make any changes to your Firefox configuration, you might well see a result something like this:

 Firefox edition

So, room for improvement! Next, head to the about:config page and look for the network.security.esni.enabled option (you can type the name in the search box at the top to filter out unrelated options), and switch it to true by double clicking on its value.

 Firefox edition

Now encrypted SNI is enabled and will be automatically used when you visit websites that support it (including all websites on Cloudflare).

It’s important to note that, as explained in our blog post, you must also enable support for DNS over HTTPS (also known as “Trusted Recursive Resolver” in Firefox) in order to avoid leaking the websites visited through plaintext DNS queries. To do that with Firefox, you can simply follow the instructions on this page.

Mozilla recommends setting up the Trusted Recursive Resolver in mode “2”, which means that if, for whatever reason, the DNS query to the TRR fails, it will be retried using the system’s DNS resolver. This is good to avoid breaking your web browsing due to DNS misconfigurations, however Firefox will also fallback to the system resolver in case of a failed DNSSEC signature verification, which might affect user’s security and privacy due to the fact that the query will then be retried over plaintext DNS.

This is due to the fact that any DNS failure, including DNSSEC failures, from the DNS resolver is identified by the DNS SERVFAIL return code, which is not granular enough for Firefox to differentiate different failure scenarios. We are looking into options to address this on our 1.1.1.1 resolver, in order to give Firefox and other DNS clients more information on the type of DNS failure experienced to avoid the fallback behaviour when appropriate.

Now that everything is in place, go ahead and visit our Browsing Experience Security Check page, and click on the “Check My Browser” button. You should now see results something like this:

 Firefox edition

Note: As you make changes in about:config to the ESNI & TRR settings, you will need to hard refresh the check page to ensure a new TLS connection is established. We plan to fix this in a future update.

To test for encrypted SNI support on your Cloudflare domain, you can visit the “/cdn-cgi/trace” page, for example, https://www.cloudflare.com/cdn-cgi/trace (replace www.cloudflare.com with your own domain). If the browser encrypted the SNI you should see sni=encrypted in the trace output.

On the wire

You can also go a step further and download and build the latest Wireshark code from its git repository (this feature hasn’t landed in a stable release yet so building from source is required for now).

This will allow you to see what the encrypted SNI extension looks like on the wire, while you visit a website that supports ESNI (e.g. https://cloudflare.com).

This is how a normal TLS connection looks with a plaintext SNI:

 Firefox edition

And here it is again, but this time with the encrypted SNI extension:

 Firefox edition

Fallback

As mentioned in our earlier post there may be cases when the DNS record fetched by the client doesn’t match a valid key owned by the TLS server, in which case the connection using ESNI would simply fail to be established.

This might happen for example if the authoritative DNS server and the TLS server somehow get out of sync (for example, the TLS server rotates its own key, but the DNS record is not updated accordingly). But this could also be caused by external parties, for example, a caching DNS resolver that doesn’t properly respect the TTL set by the authoritative server might serve an outdated ESNI record even though the authoritative server is up-to-date. When this happens, Firefox will fail to connect to the website.

The way we work around this problem on the Cloudflare edge network, is to simply make the TLS termination stack keep a list of valid ESNI keys for the past few hours, rather than just the latest and most recent key. This allows the TLS server to decrypt the encrypted SNI sent by a client even if a slightly outdated DNS record was used to produce it. The duration of the lifetime of ESNI keys needs to be balanced between increasing service availability, by keeping as many keys around as possible, and increasing security and forward secrecy of ESNI, which on the contrary requires keeping as few keys as possible.

There is some room for experimentation while the encrypted SNI specification is not finalized yet, and one proposed solution would allow the server to detect the failure and serve a fresh ESNI record to the client which in turn can then try to connect again using the newly received record without having to disable ESNI completely. But while this might seem easy, in practice a lot of things need to be taken into account: the server needs to serve a certificate to the client, so the client can make sure the connection is not being intercepted, but at the same time the server doesn’t know which certificate to serve because it can’t decrypt and inspect the SNI, which introduces the need for some sort of “fallback certificate”. Additionally any such fallback mechanism would inevitably add an additional round-trip to the connection handshake which would negate one of the main performance improvements introduced by TLS 1.3 (that is, shorter handshakes).

Conclusion

On our part, we’ll continue to experiment and evolve our implementation as the specification evolves, to make encrypted SNI work best for our customers and users.

Categories: Technology

Beta: LVE Manager updated

CloudLinux - Thu, 18/10/2018 - 17:45

A new updated LVE Manager package is now available for download from our updates-testing repository.

Changelog:

lvemanager 4.0-25.15

  • WEB-1183: fixed empty domain while creating a new Node.js application in cPanel plugin.

To update run:

yum update lvemanager --enablerepo=cloudlinux-updates-testing
Categories: Technology

Don't let one bad apple spoil the whole box, Part 2 now published

CloudLinux - Thu, 18/10/2018 - 16:36

Web hosters running multi-site servers are a favourite target for today’s economy-minded hacker who uses one weak site to gain access to a whole box of others on the same server.

In this Part 1 of his article “Avoid Multi-site Hacking”, the new lead of Imunify360, Greg Zemskov, explains exactly what the threat is and how to mitigate it, covering the specific risks of PHP-based CMSes, the distinction between technical and organization protection strategies, and the benefits of site isolation.

In this Part 2, Greg consolidates the two distinctions, giving concrete tips for improving multi-site server security, and laying out the real-world consequences of not following them.

Read Part 1 | Read Part 2

 

Categories: Technology

Beta: CloudLinux 7 and CloudLinux 6 Hybrid kernel updated

CloudLinux - Thu, 18/10/2018 - 16:34

CloudLinux 7 and CloudLinux 6 Hybrid kernel version 3.10.0-962.3.2.lve1.5.24.2 is now available for download from our updates-testing repository.

Changelog:

  • Datacycle: disabled by default;
  • CLKRN-365: fixed protected hardlinks issue.

To update a kernel, please use the following command.

CloudLinux 7:

yum install kernel-3.10.0-962.3.2.lve1.5.24.2.el7 --enablerepo=cloudlinux-updates-testing

CloudLinux 6 Hybrid:

yum install kernel-3.10.0-962.3.2.lve1.5.24.2.el6h --enablerepo=cloudlinux-hybrid-testing
Categories: Technology

Why I’m helping Cloudflare grow in Germany, Austria, and Switzerland

CloudFlare - Thu, 18/10/2018 - 13:00
Why I’m helping Cloudflare grow in Germany, Austria, and SwitzerlandWhy I’m helping Cloudflare grow in Germany, Austria, and Switzerland

Why Cloudflare?

I am incredibly excited to announce that I’m joining Cloudflare as the Head of DACH to help to expand Cloudflare’s demand in Germany, Austria, and Switzerland. Having been in the technology industry for many years, Cloudflare’s mission to help build a better Internet was frankly the reason I joined, and I’m now very eager to start working towards this.

I quickly learned how Cloudflare helps to speed up and secure over 10 million Internet properties by protecting these customers from a wide range of online attacks and providing the reliability needed to run strong businesses. Security, privacy, and performance are key drivers for almost every business: from large traditional enterprises to purely online businesses and even individuals building their own personal brand. I could go on and on. The more I learned, the more excited I became.

One of Cloudflare’s major strengths is its global network. Cloudflare already has data centers in seven cities in the DACH region (with more to come) helping to ensure the Internet is fast, safe, and reliable for users online in the region. So while I get the honor of opening our first office in Germany (in Munich), I loved that Cloudflare had already been working towards this and in the market with customers.

Another important aspect for me was the company’s culture. During my interview experience with Cloudflare, I witnessed an incredible passion for the company from everyone, which left me with a strong feeling that this is the right environment for me. This team wants to make a difference. Cloudflare has a very determined team, and everyone is aligned behind the same goal: to help make the Internet better, for everyone. I also appreciated the company’s commitment to diversity in our employee base, and I will be building up the DACH team with that same commitment in mind. I can’t wait for what’s ahead.

Cloudflare is at the forefront of the direction the market is heading. We have an extremely talented and passionate team, and I am thrilled to now be a part of achieving Cloudflare’s mission.

What’s going on in the region?

Over the last 17 years, I have helped Symantec and Veritas to build strong teams and grow their businesses in Central Europe, including in the DACH region. I’m now excited to help expand on our strong global network and to build an even greater presence for Cloudflare in the DACH region.

Germany has the largest national economy in Europe and the fourth-largest by nominal GDP in the world.  From many of the largest corporations in the world, to the thriving German “Mittelstand” companies, I see organisations in the region trying to gain advantages from technology in a secure, reliable, and scalable way. With the opening of the new office in Munich, and the ongoing support of our EMEA headquarters in London, we will be able to significantly step up our support for DACH customers and partners.

Looking ahead

I’m excited to get started. Please look out for announcements about upcoming customer events and webinars. I’d be delighted to meet you there in person. Or, you can get in touch with me at shenke (at) cloudflare.com.

And, in case you are wondering, yes, we are hiring in the region. We are looking for Account Executives and Solution Engineers in Munich. If you are interested in exploring a career on our team in Germany, please keep in touch.

Categories: Technology

Search Autocomplete - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-070

Drupal Contrib Security - Wed, 17/10/2018 - 23:14
Project: Search AutocompleteDate: 2018-October-17Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingCVE IDs: CVE-2018-7603Description: 

This Search Autocomplete module enables you to autocomplete textfield using data from your website (nodes, comments, etc..).

The module doesn't sufficiently filter user-entered text among the autocompletion items leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability can be exploited by any user allowed to create one of the autocompletion item, for instance, nodes, users, comments.

Solution: 

Install the latest version:

Also see the Search Autocomplete project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

My First Grace Hopper Celebration

CloudFlare - Wed, 17/10/2018 - 21:30
My First Grace Hopper CelebrationMy First Grace Hopper Celebration

Cloudflare #GHC18 team

I am 25+ years into my career in technology, and this was the very first time I attended a conference geared towards women.

A couple of weeks ago I went to Grace Hopper Celebration (#GHC18), and I can still feel the exuberant energy from the 22,000 women over the intensive 3 day conference. I attended with our Cloudflare team; our purpose was to connect with women in the greater tech community and recruit new talent to join our team and mission to help build a better Internet.

Cloudflare prioritizes GHC because we recognize that diversity in our company, and particularly in our technical departments, is crucial to our success. We believe that the best companies are diverse companies. This was Cloudflare’s second time sponsoring GHC, and I was part of the planning committee. This year I headed to the event with 20 of my colleagues to meet all of the incredible attendees, hold on-site interviews, and even host our own Cloudflare panel and luncheon.

Getting to #GHC18

Early Tuesday morning, the day before the conference, as I joined the Southwest Airlines boarding line at Oakland Airport, my fellow passengers were not the usual contingent of suited men on their way to business meetings. Instead I was surrounded by hundreds of women (and some men) in conversation about what to expect in Houston. The anticipation was palpable, and energy was invigorating.

The flight itself was essentially a Grace Hopper networking event. I sat next to two others who were also attending on behalf of their companies. In my row there was a product manager at a well-known and successful startup, as well as an executive who was heading to Grace Hopper to learn and hire. That was the best professional conversation I ever had on an airplane.The topics ranged from how to scale data pipelines at rapidly growing software companies, to how to find and hire great women engineers. All three of us were using the spotty airplane wifi to communicate last-minute conference plans with our colleagues all heading to the event. One of my seatmates showed me a massive airplane selfie that one of his colleagues had sent him—the whole plane was filled with women from his company, and the pilot had even made a special announcement welcoming them.

Upon arriving in Houston there was more of the same energy—it was just warmer and a bit muggier now that we were in Texas.The area of Houston around the conference centre was overtaken by the 22,000 attendees, most of whom were women at various stages of their studies. Uber drivers were eager to ask us what the hell was going on. Why so many women?

Three Non-Stop Days at #GHC18

My First Grace Hopper Celebration

Cloudflare Expo Booth photo

As a member of the Cloudflare GHC contingent I had a few jobs—working the booth on the expo floor, interviewing candidates, and being one of four panelists at our Cloudflare: Women in Leadership Lunch.

Working the booth was a whole lot more fun than I could have imagined. I am an introvert and tend to avoid crowds and interactions with too many strangers. I surprised myself by taking on the role of “traffic control”— walking the expo floors and approaching women to ask if they are looking for a great place to work. Cloudflare is a great place to work so I could authentically express my feelings and also specifically speak to why it’s an ideal place to start your career. Cloudflare is a company where you work to solve some of the internet’s biggest problems at a scale where it has real impact.

I would then proceed to walk any interested people over to our booth so that myself and my colleagues could further engage them. I got so much from my conversations with these women. It gave me insight into why the celebration is so well attended. Women at various stages of their studies and careers had very specific reasons for being there.

The highlight of my week was the Women in Leadership Luncheon that Cloudflare hosted on the last day of the event. It gave us an opportunity to interact with some of the women we had met throughout the week in a more thoughtful and private way where we could open up about our careers and personal goals.

My First Grace Hopper Celebration

Cloudflare Women in Leadership Luncheon w/ Jessica Rosenberg, Jade Wang, Lisa Retief, and Suzanne Aldrich

My First Grace Hopper Celebration

We mingled with women in a relaxed setting, and had conversations about their situations and experiences. I found it very inspiring. As part of the event, I joined a panel with my three colleagues Jade Wang, head of developer relations, Rebecca Rosenberg, head of brand design, and Suzanne Aldrich, solutions engineering lead to share some of our experiences and career journeys. All of us have different paths and have landed in different areas of the company, but all play integral roles in Cloudflare’s success. I don’t think you can underestimate the impact of seeing someone you can relate to in a position you may aspire to. This is an opportunity I wish I had when I was younger, and now am thrilled to share with the next generation of leaders in tech.

Another personal highlight of GHC was getting to really know my colleagues, many of whom I had never directly worked with. We were a team of women and men across different departments and locations who were excited to represent Cloudflare and ready to make some hires. We all had fun doing this and worked well together. While I didn’t go out dancing and singing quite as often as some of them, I made friends who I now greet enthusiastically whenever we cross paths at work. Two things we look for in candidates are empathy and curiosity, so it was great to be able to bond with my colleagues and get to see that side and know each of them personally.

My First Grace Hopper Celebration

Team dinner @ #GHC18

As I left Houston, I reflected on the contrast between the national headlines and what I had experienced at the conference. The week had coincided with Dr. Christine Blasey Ford giving testimony that was resonant to many of us. It was hard to hear. In spite of this, I saw at the conference a groundswell of potential to transform today’s companies into places that can help effect change.

When people ask me about what it’s like being a woman in tech, I often joke that I have never had to wait in line for the restroom. And while I’m being funny, it’s true. GHC was a very different experience, however. For me, attending GHC was like entering an alternate universe — something like a Margaret Atwood speculative fiction novel, except this was not a dystopian future. It was a future I want to see happen.

I look forward to #GHC19.

Categories: Technology

Drupal 7.x and 8.x release on Oct 17th, 2018 - DRUPAL-PSA-2018-10-17

Drupal Public Service Announcements - Wed, 17/10/2018 - 21:11

The Drupal Security team has a core and contrib release window on the 3rd Wednesday of the month. This window normally ends at 5pm Eastern (9PM UTC).

Due to unforeseen circumstances, we are extending the current window we are in by 3 hours until Oct 17th, 2018 at 8pm Eastern (11:59PM UTC).

Categories: Technology

HTML Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-069

Drupal Contrib Security - Wed, 17/10/2018 - 19:16
Project: HTML MailDate: 2018-October-17Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Remote Code ExecutionDescription: 

The HTML Mail module lets you theme your messages the same way you theme the rest of your website.

When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.

This issue is related to the Drupal Core release SA-CORE-2018-006.

Solution: 

Install the latest version:

  • If you are running Drupal 7.x,
    • update to 7.x-2.71.
    • In case you're still using 7.x-2.65, there is a version 7.x-2.66 which has only the security patch applied, but you must realize that you are running old code and you're missing a number of bug fixes.

Also see the HTML Mail project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Mime Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-068

Drupal Contrib Security - Wed, 17/10/2018 - 18:06
Project: Mime MailDate: 2018-October-17Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

The MIME Mail module allows to send MIME-encoded e-mail messages with embedded images and attachments.

The module doesn't sufficiently sanitized some variables for shell arguments when sending email, which could lead to arbitrary remote code execution.

This issue is related to the Drupal Core release SA-CORE-2018-006.

Solution: 

Install the latest version:

Also see the Mime Mail project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Drupal Core - Multiple Vulnerabilities - SA-CORE-2018-006

Drupal Security - Wed, 17/10/2018 - 17:42
  • Advisory ID: DRUPAL-SA-CONTRIB-2018-006
  • Project: Drupal core
  • Version: 7.x, 8.x
  • Date: 2018-October-17
Description

Content moderation - Moderately critical - Access bypass - Drupal 8

In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.

In order to fix this issue, the following changes have been made to content moderation which may have implications for backwards compatibility:

ModerationStateConstraintValidator
Two additional services have been injected into this service. Anyone subclassing this service must ensure these additional dependencies are passed to the constructor, if the constructor has been overridden.
StateTransitionValidationInterface
An additional method has been added to this interface. Implementations of this interface which do not extend the StateTransitionValidation should implement this method.

Implementations which do extend from the StateTransitionValidation should ensure any behavioural changes they have made are also reflected in this new method.

User permissions
Previously users who didn't have access to use any content moderation transitions were granted implicit access to update content provided the state of the content did not change. Now access to an associated transition will be validated for all users in scenarios where the state of content does not change between revisions.

Reported by

Fixed by

External URL injection through URL aliases - Moderately Critical - Open Redirect - Drupal 7 and Drupal 8

The path module allows users with the 'administer paths' to create pretty URLs for content.

In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url.

The issue is mitigated by the fact that the user needs the administer paths permission to exploit.

Reported by

Fixed by

Anonymous Open Redirect - Moderately Critical - Open Redirect - Drupal 8

Drupal core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

This vulnerability has been publicly documented.

RedirectResponseSubscriber event handler removal

As part of the fix, \Drupal\Core\EventSubscriber\RedirectResponseSubscriber::sanitizeDestination has been removed, although this is a public function, it is not considered an API as per our API policy for event subscribers.
If you have extended that class or are calling that method, you should review your implementation in line with the changes in the patch. The existing function has been removed to prevent a false sense of security.

Reported by

Fixed by

Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution - Drupal 7 and Drupal 8

When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.

Reported by

Fixed by

Contextual Links validation - Critical - Remote Code Execution - Drupal 8

The Contextual Links module doesn't sufficiently validate the requested contextual links.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access contextual links".

Reported by

Fixed by

Solution

Upgrade to the most recent version of Drupal 7 or 8 core.

Minor versions of Drupal 8 prior to 8.5.x are not supported and do not receive security coverage, so sites running older versions should update to the above 8.5.x release immediately. 8.5.x will receive security coverage until May 2019.

Categories: Technology

Workbench Moderation - Moderately critical - Access bypass - SA-CONTRIB-2018-067

Drupal Contrib Security - Wed, 17/10/2018 - 17:29
Project: Workbench ModerationDate: 2018-October-17Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

The Workbench Moderation module adds arbitrary moderation states to Drupal core's "unpublished" and "published" node states, and affects the behavior of node revisions when nodes are published.

In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.

This issue is related to the Drupal Core release SA-CORE-2018-006.

Solution: 

Install the latest version:

Also see the Drupal core project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Beta: EasyApache 4 updated

CloudLinux - Wed, 17/10/2018 - 15:06

New updated EasyApache 4 packages are now available for download from our updates-testing repository.

Changelog:

ea-php71

  • Version 7.1.23;
  • EA-7904: updated EasyApache 4 PHP to version 7.1.

ea-php72

  • Version 7.2.11;
  • EA-7908: updated EasyApache 4 PHP to version 7.2.

Update command:

yum update ea-php7* --enablerepo=cl-ea4-testing
Categories: Technology

A Question of Timing

CloudFlare - Wed, 17/10/2018 - 13:00
A Question of TimingA Question of Timing

Photo by Aron / Unsplash

When considering website performance, the term TTFB - time to first byte - crops up regularly. Often we see measurements from cURL and Chrome, and this article will show what timings those tools can produce, including time to first byte, and discuss whether this is the measurement you are really looking for.

Timing with cURL

cURL is an excellent tool for debugging web requests, and it includes the ability to take timing measurements. Let’s take an example website www.zasag.mn (the Mongolian government), and measure how long a request to its home page takes:

First configure the output format for cURL in ~/.curlrc:

$ cat .curlrc -w "dnslookup: %{time_namelookup} | connect: %{time_connect} | appconnect: %{time_appconnect} | pretransfer: %{time_pretransfer} | starttransfer: %{time_starttransfer} | total: %{time_total} | size: %{size_download}\n"

Now connect to the site dropping the output (-o /dev/null) since we’re only interested in the timing:

$ curl -so /dev/null https://www.zasag.mn dnslookup: 1.510 | connect: 1.757 | appconnect: 2.256 | pretransfer: 2.259 | starttransfer: 2.506 | total: 3.001 | size: 53107

These timings are in seconds. Depending on your version of cURL, you may get more decimal places than this example. 3 seconds is a long time, and remember this is only for the HTML from the home page - it doesn’t include any JavaScript, images, etc.

The diagram below shows what each of those timings refer to against a typical HTTP over TLS 1.2 connection (TLS 1.3 setup needs one less round trip):

A Question of Timing

  • time_namelookup in this example takes a long time. To exclude DNS resolver performance from the figures, you can resolve the IP for cURL: --resolve www.zasag.mn:443:218.100.84.167. It may also be worth looking for a faster resolver :).
  • time_connect is the TCP three-way handshake from the client’s perspective. It ends just after the client sends the ACK - it doesn't include the time taken for that ACK to reach the server. It should be close to the round-trip time (RTT) to the server. In this example, RTT looks to be about 200 ms.
  • time_appconnect here is TLS setup. The client is then ready to send it’s HTTP GET request.
  • time_starttransfer is just before cURL reads the first byte from the network (it hasn't actually read it yet). time_starttransfer - time_appconnect is practically the same as Time To First Byte (TTFB) from this client - 250 ms in this example case. This includes the round trip over the network, so you might get a better guess of how long the server spent on the request by calculating TTFB - (time_connect - time_namelookup), so in this case, the server spent only a few milliseconds responding, the rest of the time was the network.
  • time_total is just after the client has sent the FIN connection tear down.
Timing with Chrome

Chrome, and some other testing tools, use the W3C Resource Timing standard for measurements. In Chrome developer tools this looks like this:

A Question of Timing

Again, here’s how this maps onto a typical HTTP over TLS 1.2 connection, also showing the Resource Timing attribute names:

A Question of Timing

  • Stalled (fetchStart to domainLookupStart) is the browser waiting to start the connection, e.g. allocating cache on disk, if there are higher priority requests, or if there are already 6 connections open to this host.
  • Initial connection shown by Chrome is connectStart to connectEnd. Unlike cURL timings, this includes SSL connection setup, so if you want a fair estimate of RTT, this would be Initial connection - SSL. If an existing connection is being reused, then DNS Lookup, Initial connection and SSL won't be shown.
  • Request sent is connectEnd - requestStart, which should be negligible.
  • Similarly to cURL, if we subtract the TCP handshake time from TTFB, we can guess the amount of time the server really spent processing (again, we don't have an exact RTT timing, so this is a approximation).
What are we looking for again?

These measurements, including TTFB, can be helpful in diagnosing problems, and might help you to delve into a specific problem, but do they actually tell you about how well a website is performing? Ultimately, if you are looking to measure the experience of users, the time it takes for the first byte of some HTML to return isn’t effective. A web page might contain hundreds of images, it might have JavaScript and styles that need to load before you can interact. To reflect real user experience, you need to time how long until the web page becomes useful, and to take those measurements from representative sample of where your users are accessing the site from. And that's a topic for another day :)

Categories: Technology

Imunify360 3.6.6 is here

CloudLinux - Wed, 17/10/2018 - 10:43

We are pleased to announce that a new updated Imunify360 version 3.6.6 is now available. This latest version embodies further improvements of the product as well as bugfixes.

Tasks

  • DEF-6162: AI-BOLIT vulnerabilities are now marked as suspicious.

Fixes

  • DEF-6170: blacklisted IP is no longer put into Gray List by sensor alert.;
  • DEF-6205: do not fail if /etc/virtual/domainowners has wrong UTF-8 data;
  • DEF-6220: fixed CLNError() is not JSON serializable;
  • DEF-6221: fixed SEND_ADDITIONAL_DATA.enable label in settings in UI.

To install the new Imunify360 version 3.6.6 please follow the instructions in the documentation.

The upgrading is available since Imunify360 version 2.0-19.

To upgrade Imunify360 on CentOS/CloudLinux systems, run the command:

yum update imunify360-firewall

To upgrade Imunify360 on Ubuntu systems, rut the command:

apt-get update apt-get install --only-upgrade imunify360-firewall

More information on Imunify360 can be found here.

Categories: Technology

LVE-Stats 2 updated

CloudLinux - Tue, 16/10/2018 - 16:28

Our team has released a fix for the security vulnerability discovered by Patrick William from Rack911 Lab. It is available from our production repository and is recommended for the update.

Changelog:

lve-stats-2.9-4.2

  • LVES-923: fixed lve-stats .lock vulnerability.

To install run:

yum install lve-stats

To update run:

yum update lve-stats

To downgrade:

yum downgrade lve-stats
Categories: Technology

Pages

Subscribe to oakleys.org.uk aggregator - Technology
Additional Terms