helen.ls.net - software status
Helen is a LAMP (Linux, Apache, MySQL, PHP) and FTP server which hosts ls.net and many of our client's web servers. Much of this is "technical" and is included to assure users we keep an eye of bugs and security vulnerabilities. Users are encouraged to explore as they deem useful to satisfy their own intellectual curiousity about secure web hosting.
FTP is the simplest issue to address. The current version is vsftpd_2.2.2-3ubuntu6. There are no known security issues. There have been access issues which appear to have been mitigated by the upgrade to iptables_1.4.4-2ubuntu2 and some minor kernel configuration. Users who have had FTP access problems in the past are urged to try the current setup and report p[roblems via http://ls.net/contact.
Mailman archives have been fixed. A few symbolic links turned hard with the last server migration (that was last year). If you have a mailing list at LSNet, you might check the admin pages and the archives. The Google Mail upgrade has caused users with both LSNet Gmail and Google accounts some grief. In most cases a careful reading of the Google messages will get you through.
The operating system has been upgraded to Ubuntu 10.04.1 LTS. This version is eligible for maintenance and security upgrades through April 2015. LTS which stands for Long Term Support versions are released on two year intervals, the next in October 2012. The ".1" stands for the first maintenace upgrade for "10.04". Usually, the first maintenance release catches the majority of "bugs" introduced in the first version.
The kernel is "Linux helen 2.6.32-26-generic #48-Ubuntu SMP Wed Nov 24 10:14:11 UTC 2010 x86_64" released on 2010-11-22. This includes patches for CVE-2010-3698 which fixed an issue with KVM (Kernel-based Virtual Machine) which we are not currently using but are planning to incorporate in the next LXC (Linux Containers) based VPS (Virtual Private Server) server hosting planned by LSNet for 2011. Users are currently restricted to prevent cross-user damage and mischief. LXC-VPS will allow adventurous users to do as they with within their own virtual machine.
The web server is "Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k". The specific Apache2 version is apache2_2.2.14-5ubuntu8.4 which includes a security patch for CVE-2010-1452. I've seen probes for this exploit in the logs but never caught a process crash that did not recover on its own. The Apache server starts processes as needed (within limits) to satisfy requests and while process crashes would place an increased burden on the surver, the hardware is massive compared to the usual load such that a temporary increase in server load is merely an inconvenience, not a catastrophe. Helen is monitored by bijk.com (you can see for yourself).
The scripting language used by ls.net and available to all web hosting users is php5 and the specific version is php5_5.3.2-1ubuntu4.5 and includes a number of security patches including CVE-2010-1866, CVE-2010-1868, CVE-2010-1917, CVE-2010-2094, CVE-2010-2225, CVE-2010-2531, and CVE-2010-3065. We know of no actual exploits in php5.3.2 but we have "fixed" php code in several instances where syntax has tightened. Users who encounter PHP errors are encouraged to report them using the "Contact". The frequency of PHP vulnerability concerns is mitigated in part by the Suhosin-Patch.
Encryption is provided by mod_ssl and OpenSSL. The specific version of openssl is openssl_0.9.8k-7ubuntu8.5 which patches CVE-2010-4180, CVE-2010-3864, CVE-2010-2939, CVE-2009-3555, CVE-2009-3245, CVE-2010-0740, CVE-2009-4355, and other issues. SSL is the target for determined hackers and the vulnerabilities astound me. I am reduced to hope the upstream people know what they are doing.
All in all, the last two weeks have been pregnant on the server front. We hope the new baby is happy and healthy.