performance toolkit updates 2010-01-31, perfsonar-ps developers meeting aaron brown, joe metzger
TRANSCRIPT
Performance Toolkit UpdatesPerformance Toolkit Updates
2010-01-31, perfSONAR-PS Developers MeetingAaron Brown, Joe Metzger
• Problem– As of February 15th, we lose support for Debian 4.0, the basis for
the current toolkit.• Goal: Decide a path forward
– Upgrade the existing toolkit to Debian 5.0– Transition to Fedora LiveCD ASAP, and maintain security updates
ourselves for 6(?) months– Maintain security updates ourselves until 6(?) months after a
version based on the Fedora LiveCD is released
2 – 04/20/23, © 2009 Internet2
Performance Toolkit Updates
• Upsides– Theoretically, a more minor upgrade path, and we would not need to
maintain security updates.– We’ve updated from Knoppix to Debian 4.0, so have some idea of the
complexity.• Downsides
– May require recompilation of all software we’ve added• NDT, NPAD, bwctl, owamp, iperf• CPAN modules (will almost definitely need recompiled)
– Init scripts may need fiddled with– Configuration files may need changed– If we’re going to transition to LiveCD eventually anyway, the costs for
upgrading are weighed solely against the costs of maintaining security fixes, and upgrading to LiveCD soon(er?)
3 – 04/20/23, © 2009 Internet2
Upgrade to Debian 5.0
• Upsides– We’re going to do this update eventually anyway
• Downsides– May require recompilation of all software we’ve added
• NDT, NPAD, bwctl, owamp, iperf• CPAN modules (will almost definitely need recompiled)
– Init scripts may need fiddled with– Configuration files may need changed– There are open questions for transitioning
• How do we deal with the “ramdisk filling” issue?• Are we going to do a clean transition, or a quick-and-dirty transition?
4 – 04/20/23, © 2009 Internet2
Upgrade to LiveCD
• Kernel Updates– We maintain our own kernel, so we’ll be responsible for these
updates no matter the option we choose.• Software Updates
– We’ll have watch the Debian security mailing list, and apply any fixes we see to the 5.0 branch, to the 4.0 branch (if applicable).
• Expense depends heavily on how many fixes come out during the timeframe we’re maintaining security fixes.
5 – 04/20/23, © 2009 Internet2
Maintaining Security Updates
• January– Python: DoS of a service that parses an XML file
• Severity for us: low• Applies to 4.0 and 5.0
– Gzip: arbitrary execution when decompressing specially crafted files• Severity for us: low• Applies to 4.0 and 5.0
– Openssl: DoS if mod_ssl, mod_php5 and php5-curl are loaded• Severity for us: low• Applies to 5.0
– Krb5: Remote crashes, heap corruption, and extraordinarily unlikely chance: arbitrary code execution• Severity for us: low• Applies to 4.0/5.0
• December– Ntp: remote DoS possibility
• Severity for us: medium-high• Applies to 4.0/5.0
6 – 04/20/23, © 2009 Internet2
Security Fixes: July and January
• November– Apache: Minor TLS vulnerability
• Severity for us: low• Applies to 4.0/5.0
• August– Libxml2: DoS and possible code execution
• Severity for us: low• Applies to 4.0/5.0
– Apache Runtime Library – heap overflow/code execution• Severity for us: low• Applies to 4.0/5.0
• July– Apache – DoS if mod_proxy or mod_deflate were enabled
• Severity for us: low• Applies to 4.0/5.0
7 – 04/20/23, © 2009 Internet2
Security Fixes: July and January
Performance Toolkit UpdatesPerformance Toolkit Updates2010-01-31, perfSONAR-PS Developers MeetingAaron Brown, Joe Metzger
For more information, visit www.internet2.edu
8 – 04/20/23, © 2009 Internet2