Ghost, really again ?!

Published on January 29, 2015

Ghost, really again ?!

    Hello!


    Many words have already been said about the “new” vulnerability of the glibc library with the mysterious name Ghost.

    For this reason, I will not take your time to describe and possible options for fixing the vulnerability of your trust systems, but I will offer some information on fixing this vulnerability in our products, Kerio Connect, Kerio Control, and Kerio Operator.

    So, let's start with our distribution kit Kerio Connect Virtual Appliance, inside which runs a fully-fledged Debian Wheezy (versions Kerio Connect VMapp 8.3.x and newer) or Debian Squeeze (versions Kerio Connect VMapp 8.2.x and older).

    In general, the procedure does not differ from that already presented on Habré and other resources , however, in the case of VMapp Kerio Connect, you need to make small changes to the list of repositories used, if you have not done it before of course.

    In the terminal, enter the following command:

    sudo nano /etc/apt/sources.list
    


    For Debian 7 (Wheezy) this file should contain:
    deb http://ftp.debian.org/debian wheezy main
    deb-src http://ftp.debian.org/debian wheezy main
    deb http://ftp.debian.org/debian wheezy-updates main
    deb-src http://ftp.debian.org/debian wheezy-updates main
    deb http://security.debian.org/ wheezy/updates main
    deb-src http://security.debian.org/ wheezy/updates main
    


    For Debian 6 (Squeeze) this file should contain:
    deb http://ftp.debian.org/debian/ squeeze main contrib
    deb-src http://ftp.debian.org/debian/ squeeze main contrib
    deb http://security.debian.org/ squeeze/updates main contrib
    deb-src http://security.debian.org/ squeeze/updates main contrib
    deb http://ftp.debian.org/debian squeeze-lts main contrib
    deb-src http://ftp.debian.org/debian squeeze-lts main contrib
    


    With our other products, Kerio Control and Kerio Operator, and their distributions Software and Virtual Appliance, the situation is somewhat different, because The distributions themselves are based on a stripped-down version of Debinan Linux Wheezy, they carry a vulnerable glibc library.

    However, in the case of Kerio Control distributions, the vulnerability cannot be exploited since Kerio Control has its own DNS forwarding module. At the same time, the Kerio Control 8.4.3 service release, which contains the corrected library, will be published on our automatic update servers within a couple of days.

    Kerio Operator distributions, up to version 2.3.4, are vulnerable, but only within the local network if the standard configuration of the built-in ip tables is preserved.

    The Kerio Operator 2.3.4 patch 1 service release will be available on our automatic update servers during the day from the current date.

    To maintain an acceptable level of security, we do not recommend Kerio Operator administrators to make changes to the settings of the built-in ITU in Kerio Operator, and also do not use the automatic provisioning function of telephone sets (phone provisioning) in public networks, which, however, is a standard recommendation for our users.


    After the publication of the corresponding versions of distributions, we will post links to download them on our blog.

    Also, to get information on this vulnerability as quickly as possible and its impact on Kerio products, follow the specially created page .

    Thanks for attention! We wish you all calm Internet!

    As we promised, the Kerio Control and Kerio Operator service releases are already published with version numbers 8.4.3 and 2.3.4 patch 1, respectively.
    You can



    upgrade either through the administration interface of the corresponding product: Or by downloading the image for updating from our website www.kerio.ru from the Support / Kerio Control or Kerio Operator item