Posted by Blue Box Group about about 1 year ago...
A potential security concern has been found with the digest authentication code in rails. The code for authenticate_with_http_digest should return true if a user is found, and false if it is not, however a bug was found where the function would return nil if an invalid username was used. The application would continue to process the validation in this case, which would allow an attacker to use an invalid username and blank password to gain access to a protected area of an app.
While this issue will be fixed in the 2.3.3 version of rails, a workaround for existing applications is to ensure that they never return nil. If your code looks like this:
authenticate_or_request_with_http_digest(REALM) do |username|
USERS[username]
end
…it should instead be changed to return false if the user is not found,
authenticate_or_request_with_http_digest(REALM) do |username|
USERS[username] || false
end
A full writeup from the rails development team can be found here:
<a href=http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest>http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest
Posted by Blue Box Group about about 1 year ago...
Today at 3:30pm Pacific (Monday Jun 09 22:00:00 UTC 2009), one of our bandwidth carriers who handles about 1/6th of our inbound traffic suffered a network issue that caused increased latency and packet loss for a period of 15 minutes on traffic leaving our network over that link. We’ve communicated with that provider, and they’ve resolved the issue. We will continue to monitor that link and will drop our BGP session with them if we continue to see any network issues occur.
Thanks
Blue Box Tech Support
Posted by Blue Box Group about about 1 year ago...
A recent ruby security bug was announced this afternoon affecting almost all but the most recent versions of Ruby. Details on the announcement can be found here:
http://weblog.rubyonrails.org/2009/6/10/dos-vulnerability-in-ruby
We are in the process of updating our RPMs for our customers using our CentOS Rails stack. We will post in this blog when those RPMs are available for customers to update.
For Ubuntu/Debian customers, we recommend applying the work-arounds listed in the article until the patched versions hit the vendor repos.
We will keep this post updated with more information as it becomes available.
Update Wednesday @ 1:10 AM (Wed Jun 10 08:10:22 UTC 2009) - We have rebuilt our RPMS with Ruby 1.8.6-p369. These are going into testing now and are available for any customer who desires to have them before we complete our tests immediately. We expect to have the final versions pushed out into our yum repo by end of business today. If you wish to use the test versions, please contact support and we will get you a URL.
Update Wednesday @ 9:28 AM (Wed Jun 10 16:28:10 UTC 2009) - Our rebuilt packages have gone through preliminary testing and appear to be working well. We’ve pushed them out to all our internal slices and are running on them now.
To update, complete the following steps:
1) Confirm you’re using our RPM stack. This can be done by completing the following. If you see the bbg-rails-stack there, you’re using our RPM. If you don’t, contact us for assistance.
$ rpm -qa | grep bbg-rails-stack
bbg-rails-stack-1.3-2
2) If so, you should be able to update with a simple yum command. If you’re not, please contact our support department for assistance.
$ yum -y update ruby
3) When that’s done, you can confirm the update worked one of two ways:
$ ruby -v
ruby 1.8.6 (2009-06-08 patchlevel 369) [x86_64-linux]
$ ruby -e ‘require “bigdecimal”; BigDecimal(“E99999999”).to_s(“F”); puts “OK For: CVE-2009-1904”’
OK For: CVE-2009-1904
If your version strings don’t match the above, or you get a Seg Fault when running that Ruby test, the update didn’t work.
4) Restart your application. For this change to take affect, you need to restart your application. If you’re using Mongrel, restarting the processes will be fine. If you’re using Passenger, you’ll want to restart Apache or Nginx to restart the Passenger daemons.
If you can’t update your Ruby version for any reason, the Rails core team has listed a few temporary fixes you can try. Those are listed here:
http://weblog.rubyonrails.org/2009/6/10/dos-vulnerability-in-ruby
If you have any questions, please do let us know!
(Web only post)
Posted by Blue Box Group about about 1 year ago...
On Tuesday, June 23rd starting at 07:00 PST (14:00 UTC) and ending at 18:30 (June 24, 01:30 UTC) our data center service provider for our primary datacenter will be performing upgrades on two of the UPSes which provide power backup for the majority of Blue Box Group’s network and server equipment. During most of this maintenance window, BBG systems will be running on generator power. This is not an unusual maintenance window except in terms of the length of it. (Our data center service provider does monthly maintenance on the power systems, one step of which involves running all data center equipment on generator power for several hours.)
We anticipate no downtime as a result of this maintenance, but wanted to keep our customers informed of an increase in the risk of an outage during this window.
Posted by Blue Box Group about about 1 year ago...
From 5:00pm to 5:20pm (Wed Jul 01 00:00:00 UTC 2009 to Wed Jul 01 00:20:00 UTC 2009), three distribution switches on our network experienced a VLAN issue with caused traffic to be incorrectly switched to hosts they serve for a maximum period of about 20 minutes. Our network technicians immediately identified the problem and began implementing the fix at 5:05pm. Network access to all hosts was restored by 5:20pm. A number of hosts saw a much briefer outage.
This event was isolated to about 50 machines on our network. We’ve taken preventative measures to ensure that any switches on our network are configured in such a way that this can not happen again, and are writing automated checks to ensure that any new switches brought onto our network are also configured in this protected manner.
