Performance Toolkit UpdatesPerformance Toolkit Updates

2010-01-31, perfSONAR-PS Developers MeetingAaron Brown, Joe Metzger

• Problem– As of February 15th, we lose support for Debian 4.0, the basis for

the current toolkit.• Goal: Decide a path forward

– Upgrade the existing toolkit to Debian 5.0– Transition to Fedora LiveCD ASAP, and maintain security updates

ourselves for 6(?) months– Maintain security updates ourselves until 6(?) months after a

version based on the Fedora LiveCD is released

2 – 04/20/23, © 2009 Internet2

Performance Toolkit Updates

• Upsides– Theoretically, a more minor upgrade path, and we would not need to

maintain security updates.– We’ve updated from Knoppix to Debian 4.0, so have some idea of the

complexity.• Downsides

– May require recompilation of all software we’ve added• NDT, NPAD, bwctl, owamp, iperf• CPAN modules (will almost definitely need recompiled)

– Init scripts may need fiddled with– Configuration files may need changed– If we’re going to transition to LiveCD eventually anyway, the costs for

upgrading are weighed solely against the costs of maintaining security fixes, and upgrading to LiveCD soon(er?)

3 – 04/20/23, © 2009 Internet2

Upgrade to Debian 5.0

• Upsides– We’re going to do this update eventually anyway

• Downsides– May require recompilation of all software we’ve added

• NDT, NPAD, bwctl, owamp, iperf• CPAN modules (will almost definitely need recompiled)

– Init scripts may need fiddled with– Configuration files may need changed– There are open questions for transitioning

• How do we deal with the “ramdisk filling” issue?• Are we going to do a clean transition, or a quick-and-dirty transition?

4 – 04/20/23, © 2009 Internet2

Upgrade to LiveCD

• Kernel Updates– We maintain our own kernel, so we’ll be responsible for these

updates no matter the option we choose.• Software Updates

– We’ll have watch the Debian security mailing list, and apply any fixes we see to the 5.0 branch, to the 4.0 branch (if applicable).

• Expense depends heavily on how many fixes come out during the timeframe we’re maintaining security fixes.

5 – 04/20/23, © 2009 Internet2

Maintaining Security Updates

• January– Python: DoS of a service that parses an XML file

• Severity for us: low• Applies to 4.0 and 5.0

– Gzip: arbitrary execution when decompressing specially crafted files• Severity for us: low• Applies to 4.0 and 5.0

– Openssl: DoS if mod_ssl, mod_php5 and php5-curl are loaded• Severity for us: low• Applies to 5.0

– Krb5: Remote crashes, heap corruption, and extraordinarily unlikely chance: arbitrary code execution• Severity for us: low• Applies to 4.0/5.0

• December– Ntp: remote DoS possibility

• Severity for us: medium-high• Applies to 4.0/5.0

6 – 04/20/23, © 2009 Internet2

Security Fixes: July and January

• November– Apache: Minor TLS vulnerability

• Severity for us: low• Applies to 4.0/5.0

• August– Libxml2: DoS and possible code execution

• Severity for us: low• Applies to 4.0/5.0

– Apache Runtime Library – heap overflow/code execution• Severity for us: low• Applies to 4.0/5.0

• July– Apache – DoS if mod_proxy or mod_deflate were enabled

• Severity for us: low• Applies to 4.0/5.0

7 – 04/20/23, © 2009 Internet2

Security Fixes: July and January

Performance Toolkit UpdatesPerformance Toolkit Updates2010-01-31, perfSONAR-PS Developers MeetingAaron Brown, Joe Metzger

For more information, visit www.internet2.edu

8 – 04/20/23, © 2009 Internet2