Engine Yard Release Updates October 2014

The updates described are either important (where you need to take action) or of interest (you might want to know about these changes but you don't need to do anything).

Minor: Engine Yard Gentoo 2009 stack upgrade

October 29th, 2014

Action: We recommend you test this upgrade in your staging environment as soon as possible; then, when that is validated, click the Upgrade button for your production environment.

Note: For clarity, since we now have 2 Gentoo stacks, we refer to this stack as the Engine Yard Gentoo 2009 stack. You can access it by using the Stack select field in the Environment UI:

stack_stable-v2.png

It's best practice to upgrade your Engine Yard Gentoo 2009 (stable-v2) stack regularly for the latest security and product updates. This week's updates:

  • Subsequent updates to OpenSSL fixes for CVE-2014-3513, CVE-2014-3566 (the "Poodle" vulnerability, as reported in our known issue), CVE-2014-3567, and CVE-2014-3568.

    This adds TLS_FALLBACK_SCSV, which allows SSLv3-initiated connections to use SSLv3 (TLS v1.0+ connections won't fall back to SSLv3). SSLv3 remains disabled by default; you will need to use a custom cookbook recipe if you want to enable it.

  • Improvements for better Safe Harbor support.
  • Resolves missing /etc/fstab entries for database instances.

Minor: Engine Yard Gentoo 12.11 stack upgrade

October 29th, 2014

Action: We recommend you test this upgrade in your staging environment as soon as possible; then, when that is validated, click the Upgrade button for your production environment.

Note: For clarity, since we now have 2 Gentoo stacks, we refer to this stack as the Engine Yard Gentoo 12.11 stack. You can access it by using the Stack select field in the Environment UI:

stack_stable-v4.png

It's best practice to upgrade your Engine Yard Gentoo 12.11 (stable-v4) stack regularly for the latest security and product updates. This week's updates:

  • Subsequent updates to OpenSSL fixes for CVE-2014-3513, CVE-2014-3566 (the "Poodle" vulnerability, as reported in our known issue), CVE-2014-3567, and CVE-2014-3568.

    This adds TLS_FALLBACK_SCSV, which allows SSLv3-initiated connections to use SSLv3 (TLS v1.0+ connections won't fall back to SSLv3). SSLv3 remains disabled by default; you will need to use a custom cookbook recipe if you want to enable it.

  • Improvements for better Safe Harbor support.
  • Resolves missing /etc/fstab entries for database instances.

For more information on Engine Yard Gentoo 12.11, see the Engine Yard Gentoo 12.11 docs.

Hotfix: Engine Yard Gentoo 2009 and 12.11 stack upgrades

October 16th, 2014

Action: We recommend you test this hotfix in your staging environment as soon as possible; then, when that is validated, click the Upgrade button for your production environment.

It's best practice to upgrade your Engine Yard Gentoo stack regularly for the latest security and product updates.

This hotfix addresses the "Poodle" CVE-2014-3566 vulnerability, as reported in our known issue earlier this week.

If you use custom Chef, keep files, or deploy hooks, you should review them for any “ssl_protocols” lines; you need to remove all SSLv3 reference(s).

You can test your website against this vulnerability by following the instructions on: https://www.ssllabs.com/ssltest/. If you need help, submit a ticket with Engine Yard Support.

Minor: Engine Yard Gentoo 2009 stack upgrade

October 14th, 2014

Action: You apply the following changes the next time you click the Upgrade button for your Engine Yard Gentoo 2009 environment.

Note: For clarity, since we now have 2 Gentoo stacks, we refer to this stack as the Engine Yard Gentoo 2009 stack. You can access it by using the Stack select field in the Environment UI:

stack_stable-v2.png

It's best practice to upgrade your Engine Yard Gentoo 2009 (stable-v2) stack regularly for the latest security and product updates. This week's updates:

  • Updates binary log controls to provide Unicode support.

Minor: Engine Yard Gentoo 12.11 stack upgrade

October 14th, 2014

Action: You apply the following changes the next time you click the Upgrade button for your Engine Yard Gentoo 12.11 environment.

Note: For clarity, since we now have 2 Gentoo stacks, we refer to this stack as the Engine Yard Gentoo 12.11 stack. You can access it by using the Stack select field in the Environment UI:

stack_stable-v4.png

It's best practice to upgrade your Engine Yard Gentoo 12.11 (stable-v4) stack regularly for the latest security and product updates. This week's updates:

  • Updates binary log controls to provide Unicode support.
  • Corrects issue in Magento recipe for enabling Redis caching.
  • Updates OpenSSL to 1.0.0n, which addresses CVE-2014-3508.

For more information on Engine Yard Gentoo 12.11, see the Engine Yard Gentoo 12.11 docs.

Hotfix: Engine Yard Gentoo 2009 and 12.11 stack upgrades

October 9th, 2014

Action: We recommend you test this hotfix in your staging environment as soon as possible; then, when that is validated, click the Upgrade button for your production environment.

It's best practice to upgrade your Engine Yard Gentoo stack regularly for the latest security and product updates.

This hotfix updates Bash to provide additional assurance that these "shellshock" vulnerabilities have been addressed:

Notes:

If you have any long-lived Bash processes (for example, from cron jobs, custom Chef recipes, or existing SSH shells), you need to restart them to ensure that the server is fully protected.

It's a little confusing; look for '(deleted)', which means the binary was replaced but the process is holding the old one open still.

Here are specific instructions to help:

  1. Run lsof | grep '(deleted)' | grep bash.
  2. If there are any lines that show /var/tmp/portage/app-shells/bash-[some-value]/image/bin/bash (deleted), then ...
  3. The second field of the output is the PID for the process using that Bash; grep for it in ps. For example: ps -elf | grep 23050.
  4. Identify the processes using Bash and restart them.

    How to restart is very dependent on your particular usage. In some cases, you may have to identify the parent process of the process running the Bash processes, or higher, in order to determine which process you need to restart.

Hotfix: Engine Yard Gentoo 2009 stack upgrade

October 3rd, 2014

Action: We recommend you test this hotfix in your staging environment as soon as possible; then, when that is validated, click the Upgrade button for your production environment.

Note: For clarity, since we now have 2 Gentoo stacks, we refer to this stack as the "Engine Yard Gentoo 2009" stack. You can access it by using the Stack select field in the Environment UI:

stack_stable-v2.png

It's best practice to upgrade your Engine Yard Gentoo 2009 (stable-v2) stack regularly for the latest security and product updates. This week's updates:

  • Updates Bash to address vulnerabilities identified in CVE-2014-6277, CVE-2014-6278, CVE-2014-7186, CVE-2014-7187 as well as the previous CVE-2014-6271 and CVE-2014-7169.

    Notes:

    If you have any long-lived Bash processes (for example, from cron jobs, custom Chef recipes, or existing SSH shells), you need to restart them to ensure that the server is fully protected.

    It's a little confusing; the magic part to look for is the '(deleted)', which means the binary was replaced but the process is holding the old one open still.

    Here are specific instructions to help:

    1. Run lsof | grep '(deleted)' | grep bash.
    2. If there are any lines that show /var/tmp/portage/app-shells/bash-[some-value]/image/bin/bash (deleted), then ...
    3. The second field of the output is the PID for the process using that Bash; grep for it in ps. For example: ps -elf | grep 23050.
    4. Identify the processes using Bash and restart them.

      How to restart is very dependent on your particular usage. In some cases, you may have to identify the parent process of the process running the Bash processes, or higher, in order to determine which process you need to restart.

Hotfix: Engine Yard Gentoo 12.11 stack upgrade

October 3rd, 2014

Action: We recommend you test this hotfix in your staging environment as soon as possible; then, when that is validated, click the Upgrade button for your production environment.

Note: For clarity, since we now have 2 Gentoo stacks, we refer to this stack as the "Engine Yard Gentoo 12.11" stack. You can access it by using the Stack select field in the Environment UI:

stack_stable-v4.png

It's best practice to upgrade your Engine Yard Gentoo 12.11 (stable-v4) stack regularly for the latest security and product updates. This week's updates:

  • Updates Bash to address vulnerabilities identified in CVE-2014-6277, CVE-2014-6278, CVE-2014-7186, CVE-2014-7187 as well as the previous CVE-2014-6271 and CVE-2014-7169.

    Notes:

    If you have any long-lived Bash processes (for example, from cron jobs, custom Chef recipes, or existing SSH shells), you need to restart them to ensure that the server is fully protected.

    It's a little confusing; the magic part to look for is the '(deleted)', which means the binary was replaced but the process is holding the old one open still.

    Here are specific instructions to help:

    1. Run lsof | grep '(deleted)' | grep bash.
    2. If there are any lines that show /var/tmp/portage/app-shells/bash-[some-value]/image/bin/bash (deleted), then ...
    3. The second field of the output is the PID for the process using that Bash; grep for it in ps. For example: ps -elf | grep 23050.
    4. Identify the processes using Bash and restart them.

      How to restart is very dependent on your particular usage. In some cases, you may have to identify the parent process of the process running the Bash processes, or higher, in order to determine which process you need to restart.

  • Fixes incorrect value for innodb_buffer_pool_size.
    • If you upgraded your Engine Yard stack on or after September 24th, 2014, and you created a database instance (master or replica) after the upgrade, or you restarted your existing database, you might need to restart your mysql process for this fix to take effect. To restart MySQL, run the following command on any impacted instance:

      sudo /etc/init.d/mysql restart

      Important: Running this command on a database master will cause downtime. It is recommended that you do so during low-traffic times as well as put up a maintenance page.

    • To see if your instances are impacted prior to upgrading, run the following command:

      ip-172-31-19-50 ~ # grep innodb_buffer_pool_size /etc/mysql/my.cnf
      innodb_buffer_pool_size        = 
      

      If the value in the configuration is blank, as in this example, or if the value is 1275MB and your instance is not an M1 Small or C1 Medium, then you are affected by this issue and need to apply the update.

    • To see if your instances also need to have the database restarted, run the following:

      ip-172-31-19-50 ~ # mysql -e"show global variables like 'innodb_buffer_pool_size'"
      +-------------------------+------------+
      | Variable_name           | Value      |
      +-------------------------+------------+
      | innodb_buffer_pool_size | 134217728  |
      +-------------------------+------------+
      

      If, as in the example, the value is lower than 1336934400 for a standalone database or lower than 536870912 for a single-instance environment, then the instance is affected. Additionally, if the value is exactly 1336934400 and your instance is not an M1 Small or C1 Medium, then you are affected. In either of these cases, you should restart the database after applying the update.

For more information on Engine Yard Gentoo 12.11, see the Engine Yard Gentoo 12.11 docs.


If you have feedback or questions about this page, add a comment below. If you need help, submit a ticket with Engine Yard Support.

Comments

Article is closed for comments.