• Problems Booting Debian Stretch under Paravirtualization

    Tue, 17 Jul 2018 06:36:00 -0700 - Chris Brannon

    If you upgrade Debian Stretch to linux-image-4.9.0-7 (kernel version 4.9.110-1), and you have a paravirtualized VPS, your system will not boot. There is a known and verified workaround: add pti=off to your kernel command line. You may also write support to ask about a PV to HVM conversion. If you do decide to convert to HVM, make sure to remove the workaround pti=off when the conversion is done.

    The Debian bug report is Bug 903821.

  • Firefox Multi-Account Containers

    Tue, 17 Jul 2018 06:35:00 -0700 - Sarah Newman

    If you are using the relatively new Firefox multi-account containers add-on, make sure that when you pay an invoice, that the link to the payment provider opens in the same container as the original invoice email. Otherwise any payment you make will not automatically be associated with your account.

  • Distributions updated

    Fri, 13 Jul 2018 13:30:00 -0700 - Chris Brannon

    We have updated our distribution images and netboot installers with a few new releases:

    • Alpine Linux 3.8.0 (netboot installer only)
    • CentOS 6, version 6.10
    • FreeBSD 11.2

    These distribution images and netboot installers are available from the management console. A full and up-to-date list of supported operating systems can also be found at the distributions page of our wiki.

  • CVE 2018-7183

    Fri, 13 Jul 2018 07:00:00 -0700 - Chris Brannon

    CVE 2018-7183 is a remote code execution vulnerability in ntpq. Here is the description:

    Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array.

    This sounds very severe. It is a remote code execution vulnerability, after all. However, in order to be remotely exploited, it requires that someone run the ntpq command against a remote server. That is not usually done. The ntpq command is primarily just used with a local server, running on localhost. As remote code execution vulnerabilities go, this is probably one of the more benign.

    Some of the distribution images we provide contained packages with the vulnerability. All of our Ubuntu images have been rebuilt and are known to contain non-vulnerable versions. Debian Stretch has not yet updated its ntp package, so the package in our image still contains the bug. Debian’s security tracker claims that the version in Debian Jessie is affected, but the version number of the package in Jessie is not covered by this CVE. Suffice it to say, we’ll update our images when Debian does.

    References

  • Lazy FPU side-channel attack & Other Vulnerabilities Patched

    Fri, 29 Jun 2018 16:50:00 -0700 - Sarah Newman

    A couple of weeks ago CVE-2018-3665, a side-channel attack based on lazy FPU context switching, was announced. The embargo broke for it early and we were notitifed of the vulnerability the same day that it went public. That vulnerability was live-patched once we had adequate time to test the fix did not cause any issues. We concurrently live-patched denial of service vulnerabilities in Xen that were publicly released a couple of days ago.