|
|
(31 intermediate revisions by 6 users not shown) |
Line 1: |
Line 1: |
| {{DISPLAYTITLE: Upgrade CentOS to have the latest patches}} | | {{DISPLAYTITLE: Upgrade CentOS software packages}} |
| | | __FORCETOC__ |
| = benefit to have the latest patches = | | == Benefits == |
| | * Obtain the CentOS security updates |
| * Patch recent vulnerabilities | | * Patch recent vulnerabilities |
| * Patch SNMP core files | | * Patch SNMP core files |
|
| |
|
| = Applicable Products = | | == Applicable Products == |
| * TMG800, TMG3200, TMG7800-CTRL | | * TMG800, TMG3200, TMG7800-CTRL, TSBC, FreeSBC, ProSBC |
| * Tdev Linux server with (CentOS, RedHat, etc) running Toolpack software | | * TSG800, TSG3200 |
| | * Tdev Linux server (CentOS or RedHat) running Toolpack software |
| | |
| | == TelcoBridges repository == |
| | The operating system (CentOS) software upgrade is performed using ''yum'' software package manager. The repositories sites providing RPM packages are configured from /etc/yum.repos.d/. TelcoBridges provides a modified CentOS repository copy (http://repo.telcobridges.com) of the official CentOS repository. |
|
| |
|
| = Details =
| | If the '''unit or Linux server does not have access to Internet''' (or does not have DNS configured), you should configure an offline CentOS repository on your local machine as explained in the section bellow. |
| The impact of this vulnerability on TelcoBridges products depends on their configuration. The vulnerability may only be triggered through requests for domain name resolution. Therefore, only units that enable such services may be exposed to the issue.
| |
|
| |
|
| = Software Versions and Fixes = | | === Offline repository configuration === |
| The TelcoBridges CentOS 5 repository has been updated with the latest glibc version. Services that use glibc must be restarted. Because glibc is thoroughly used in the Linux operating system, it is highly recommended to reboot the unit.
| | First, SSH to your unit do determine which version of the OS your system is using: |
| | # cat /etc/redhat-release |
| | '''CentOS release 5'''.11 (Final) |
|
| |
|
| = Update procedure =
| | * [[Configure_Offline_Repository_CentOS5_A|Configure a local offline Repository for CentOS5]] |
| The operator can use one of the two methods available: GUI/WebPortal or command line interface.
| |
|
| |
|
| == WebPortal - TMG unit or Linux server '''with access to Internet''' (i.e. with DNS configured) ==
| | '''CentOS Linux release 7'''(Core) |
| * login onto the WebPortal
| | * [[Configure_Offline_Repository_CentOS7_A|Configure a local offline Repository for CentOS7]] |
| * Select the 'Hosts' section | |
| * Click on the hostname
| |
| * Click on the 'Status' tab
| |
| * Select 'Upgrade Linux packages' into the host 'Action'
| |
| * Click on the 'Apply action' button
| |
| * Refresh the page until the packages are updated as indicated in the 'Action Log' (you may use the 'Now' button to update the page). The results should appear within a minute.
| |
| * Select 'Shutdown' into the host 'Action'
| |
| * Select 'Reboot' into the 'Shutdown Type'
| |
| * Click on the 'Apply action' button
| |
| * Repeat the process for all hosts listed
| |
|
| |
|
| == Command line interface ==
| |
|
| |
|
| * login with root account
| | == CentOS software packages update == |
| [root@TB011107 ~]# uname -m
| | The operator can use one of the two methods available: GUI/WebPortal or command line interface. |
| x86_64
| |
| * If the result is not "x86_64", [[Support:Contacting TelcoBridges technical support|please contact TelcoBridges]] support, otherwise you can proceed with either method below.
| |
| * Follow one of the two options depending if Internet is accessible from the unit
| |
|
| |
|
| === Option #1 - TMG unit or Linux server '''with access to Internet''' (i.e. with DNS configured) === | | === WebPortal === |
| | To upgrade CentOS software packages, follow this procedure from the web interface of the unit: |
| | * Hosts -> Status -> TBxxxxxx -> Action -> Upgrade Linux Packages, then 'Apply Action': |
| | [[Image:Upgrade_Linux_Packages.jpg]] |
|
| |
|
| * update OS packages with yum
| | When the upgrade is in progress, there is no status shown, and you will see the screen like this: |
| yum clean all
| |
| yum update
| |
| * reboot the unit
| |
| reboot
| |
|
| |
|
| === Option #2 - TMG unit or Linux server '''without access to Internet''' ===
| | [[Image:Upgrade_Linux_Progress.jpg]] |
| * download the following packages to your PC:
| |
| ** http://repo.telcobridges.com/centos/5.7/updates/x86_64/RPMS/glibc-2.5-123.el5_11.1.x86_64.rpm
| |
| ** http://repo.telcobridges.com/centos/5.7/updates/x86_64/RPMS/glibc-common-2.5-123.el5_11.1.x86_64.rpm
| |
| ** http://repo.telcobridges.com/centos/5.7/updates/x86_64/RPMS/glibc-devel-2.5-123.el5_11.1.x86_64.rpm
| |
| ** http://repo.telcobridges.com/centos/5.7/updates/x86_64/RPMS/glibc-headers-2.5-123.el5_11.1.x86_64.rpm
| |
| ** http://repo.telcobridges.com/centos/5.7/updates/x86_64/RPMS/nscd-2.5-123.el5_11.1.x86_64.rpm
| |
| * Using WinSCP or similar tool, upload the files to the TMG unit using the root account
| |
| * login with root account
| |
| * Install packages
| |
| yum localinstall glibc-2.5-123.el5_11.1.x86_64.rpm \
| |
| glibc-common-2.5-123.el5_11.1.x86_64.rpm \
| |
| glibc-devel-2.5-123.el5_11.1.x86_64.rpm \
| |
| glibc-headers-2.5-123.el5_11.1.x86_64.rpm \
| |
| nscd-2.5-123.el5_11.1.x86_64.rpm
| |
| * '''Note''': that operation might take a long time since yum will probably experience timeouts when trying to access the external repositories.
| |
| * Reboot the unit
| |
| reboot
| |
|
| |
|
| = How to verify if the vulnerability is fixed? =
| | It may take a while 8-10 mins. You need to refresh the page until you see this: |
| * login with root account
| |
| * execute the following to create a test script
| |
| cat > rhel-GHOST-test.sh << FOF
| |
| #!/bin/bash
| |
| # rhel-GHOST-test.sh - GHOST vulnerability tester. Only for CentOS/RHEL based servers. #
| |
| # Version 3
| |
| # Credit : Red Hat, Inc - https://access.redhat.com/labs/ghost/ #
| |
| echo "Installed glibc version(s)"
| |
|
| |
| rv=0
| |
| for glibc_nvr in \$( rpm -q --qf '%{name}-%{version}-%{release}.%{arch}\n' glibc ); do
| |
| glibc_ver=\$( echo "\$glibc_nvr" | awk -F- '{ print \$2 }' )
| |
| glibc_maj=\$( echo "\$glibc_ver" | awk -F. '{ print \$1 }')
| |
| glibc_min=\$( echo "\$glibc_ver" | awk -F. '{ print \$2 }')
| |
|
| |
| echo -n "- \$glibc_nvr: "
| |
| if [ "\$glibc_maj" -gt 2 -o \( "\$glibc_maj" -eq 2 -a "\$glibc_min" -ge 18 \) ]; then
| |
| # fixed upstream version
| |
| echo 'not vulnerable'
| |
| else
| |
| # all RHEL updates include CVE in rpm %changelog
| |
| if rpm -q --changelog "\$glibc_nvr" | grep -q 'CVE-2015-0235'; then
| |
| echo "not vulnerable"
| |
| else
| |
| echo "vulnerable"
| |
| rv=1
| |
| fi
| |
| fi
| |
| done
| |
|
| |
| if [ \$rv -ne 0 ]; then
| |
| cat <<EOF
| |
|
| |
| This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>
| |
| Please refer to <https://access.redhat.com/articles/1332213> for remediation steps
| |
| EOF
| |
| fi
| |
|
| |
| exit \$rv
| |
|
| |
| FOF
| |
| * Execute the script
| |
| chmod +x rhel-GHOST-test.sh
| |
| ./rhel-GHOST-test.sh
| |
| * '''You should not see the 'vulnerable' string displayed'''
| |
|
| |
|
| | [[Image:Centos_Upgrade_Complete.jpg]] |
|
| |
|
| = Verify system timezone =
| | Once complete, you need to reboot the host: |
| We found that some systems got the timezone reset to EST time after the GHOST patch procedures
| | Hosts -> Status -> TBxxxxxx -> Action -> Shutdown -> Reboot |
| * Verify the timezone on the system
| |
| date
| |
|
| |
|
| If it differs from the original, reset the timezone using the [[TMG:Change_Time_Zone|tbtimezone]] script.
| | === Command line === |
| | Alternatively, you can ssh to the unit and run the following command: |
| | # yum clean all |
| | # yum update |
| | # yum group update |
|
| |
|
| | Reboot the unit |
| | # reboot |
| | <br> |
| | Here is a link to the main [https://repo.telcobridges.com/centos/7/os/x86_64/Packages/ TelcoBridges repository] |
| | <br> |
|
| |
|
| = References =
| | [[category:FAQ]] |
| * https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt
| |
| * https://access.redhat.com/articles/1332213
| |
| * http://www.cyberciti.biz/faq/cve-2015-0235-patch-ghost-on-debian-ubuntu-fedora-centos-rhel-linux/
| |
Benefits
- Obtain the CentOS security updates
- Patch recent vulnerabilities
- Patch SNMP core files
Applicable Products
- TMG800, TMG3200, TMG7800-CTRL, TSBC, FreeSBC, ProSBC
- TSG800, TSG3200
- Tdev Linux server (CentOS or RedHat) running Toolpack software
TelcoBridges repository
The operating system (CentOS) software upgrade is performed using yum software package manager. The repositories sites providing RPM packages are configured from /etc/yum.repos.d/. TelcoBridges provides a modified CentOS repository copy (http://repo.telcobridges.com) of the official CentOS repository.
If the unit or Linux server does not have access to Internet (or does not have DNS configured), you should configure an offline CentOS repository on your local machine as explained in the section bellow.
Offline repository configuration
First, SSH to your unit do determine which version of the OS your system is using:
# cat /etc/redhat-release
CentOS release 5.11 (Final)
CentOS Linux release 7(Core)
CentOS software packages update
The operator can use one of the two methods available: GUI/WebPortal or command line interface.
WebPortal
To upgrade CentOS software packages, follow this procedure from the web interface of the unit:
- Hosts -> Status -> TBxxxxxx -> Action -> Upgrade Linux Packages, then 'Apply Action':
When the upgrade is in progress, there is no status shown, and you will see the screen like this:
It may take a while 8-10 mins. You need to refresh the page until you see this:
Once complete, you need to reboot the host:
Hosts -> Status -> TBxxxxxx -> Action -> Shutdown -> Reboot
Command line
Alternatively, you can ssh to the unit and run the following command:
# yum clean all
# yum update
# yum group update
Reboot the unit
# reboot
Here is a link to the main TelcoBridges repository