The answer: two security alerts.
That’s what struck the Open Source Software universe the 5th of june, and, as a huge open source software lover, SquidSolutions had to respond immediately.
The first threat is a sneaky, nasty little local privilege escalation vulnerability in the linux kernel. As usual, the Debian team responded really quickly, and our software integration server was rebooted with the new patched kernel. The other servers of our infrastructure were not impacted. Peace of cake !
The second threat came from OpenSSL, again.
Why “again” ? Because we already had to struggle against the infamous Heartbleed bug. Last 8th of April We had to upgrade the OpenSSL library, revoke the SSL certificates from all of our six HTTPS sites, request for new ones with new private keys install them … our thoughts go to hosting companies which had hundreds of servers and thousands of secured sites.
So yesterday it was “just” a Man-In-The-Middle vulnerability that hit all the major versions of libssl. Even after more than a decade in the IT industry, I am stoked by the quick response of all of the main free software operating systems (GNU/Linux or *BSD). My task was only to type:
sudo apt-get update && sudo apt-get install openssl libssl1.0.0
Then restart all the softwares that rely to it, and voilà.
Our main concern now is the future. We know that more and more vulnerabilities will come from the OpenSSL project. We don’t need to be coding and security experts like the OpenBSD team to be that confident: just read their comments while they fork the OpenSSL library to libresll. OpenSSL is a part of Internet’s foundations. Not only for the confidentiality of web transactions, but for email servers, VPN services, of course SSH access to servers, and so on. The entire Internet community relies on cryptography and OpenSSL, and should (must ?) donate to people that work hard on it. That’s what we did today.