80 likes | 226 Views
2010-01-31, perfSONAR-PS Developers Meeting Aaron Brown, Joe Metzger. Performance Toolkit Updates. Performance Toolkit Updates. Problem As of February 15 th , we lose support for Debian 4.0, the basis for the current toolkit. Goal: Decide a path forward
E N D
2010-01-31, perfSONAR-PS Developers Meeting Aaron Brown, Joe Metzger Performance Toolkit Updates
Performance Toolkit Updates • Problem • As of February 15th, we lose support for Debian 4.0, the basis for the current toolkit. • Goal: Decide a path forward • Upgrade the existing toolkit to Debian 5.0 • Transition to Fedora LiveCD ASAP, and maintain security updates ourselves for 6(?) months • Maintain security updates ourselves until 6(?) months after a version based on the Fedora LiveCD is released
Upgrade to Debian 5.0 • Upsides • Theoretically, a more minor upgrade path, and we would not need to maintain security updates. • We’ve updated from Knoppix to Debian 4.0, so have some idea of the complexity. • Downsides • May require recompilation of all software we’ve added • NDT, NPAD, bwctl, owamp, iperf • CPAN modules (will almost definitely need recompiled) • Init scripts may need fiddled with • Configuration files may need changed • If we’re going to transition to LiveCD eventually anyway, the costs for upgrading are weighed solely against the costs of maintaining security fixes, and upgrading to LiveCD soon(er?)
Upgrade to LiveCD • Upsides • We’re going to do this update eventually anyway • Downsides • May require recompilation of all software we’ve added • NDT, NPAD, bwctl, owamp, iperf • CPAN modules (will almost definitely need recompiled) • Init scripts may need fiddled with • Configuration files may need changed • There are open questions for transitioning • How do we deal with the “ramdisk filling” issue? • Are we going to do a clean transition, or a quick-and-dirty transition?
Maintaining Security Updates • Kernel Updates • We maintain our own kernel, so we’ll be responsible for these updates no matter the option we choose. • Software Updates • We’ll have watch the Debian security mailing list, and apply any fixes we see to the 5.0 branch, to the 4.0 branch (if applicable). • Expense depends heavily on how many fixes come out during the timeframe we’re maintaining security fixes.
Security Fixes: July and January • January • Python: DoS of a service that parses an XML file • Severity for us: low • Applies to 4.0 and 5.0 • Gzip: arbitrary execution when decompressing specially crafted files • Severity for us: low • Applies to 4.0 and 5.0 • Openssl: DoS if mod_ssl, mod_php5 and php5-curl are loaded • Severity for us: low • Applies to 5.0 • Krb5: Remote crashes, heap corruption, and extraordinarily unlikely chance: arbitrary code execution • Severity for us: low • Applies to 4.0/5.0 • December • Ntp: remote DoS possibility • Severity for us: medium-high • Applies to 4.0/5.0
Security Fixes: July and January • November • Apache: Minor TLS vulnerability • Severity for us: low • Applies to 4.0/5.0 • August • Libxml2: DoS and possible code execution • Severity for us: low • Applies to 4.0/5.0 • Apache Runtime Library – heap overflow/code execution • Severity for us: low • Applies to 4.0/5.0 • July • Apache – DoS if mod_proxy or mod_deflate were enabled • Severity for us: low • Applies to 4.0/5.0
Performance Toolkit Updates 2010-01-31, perfSONAR-PS Developers Meeting Aaron Brown, Joe Metzger For more information, visit www.internet2.edu