Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[FallacyofUrist]

I weep because I can't trust the new version of dwarf fortress.

[Skyrunner]

Toady pls gif md5s?

[Akura]

I weep because I can't trust the new version of dwarf fortress.

To be fair, the latest version came out after the problem was discovered. I don't know if the exploit was closed, however.

[Silverybearded]

I weep because I can't trust the new version of dwarf fortress.

To be fair, the latest version came out after the problem was discovered. I don't know if the exploit was closed, however.

It is in the process of being closed. At least I think that's what the server migration is.

[lethosor]

That's not what the migration was about (it was due to Toady's hosting company restructuring their hosting plans), but there were some software upgrades involved, apparently:

Nameservers should be switching over slowly now.  The bug tracker is live on the new server, so it should come up for people as the day goes by (it'll list zero bugs while it still points to the old one, and you might see that for a while).  The php/server/etc. are running on newer versions [...]

[wierd]

migrating to a newer version of nginx would close the security hole. However, as I pointed out, many enterprise setups use older software for "reasons".  The best solution in that case would be to leverage the security of the underlying OS to prevent the nginx process from tampering with the http directory structure.

That way even if nginx get's pwned again, the pwned process lacks the credentials to do anything. 

I dont think Toady does *nix though, and that would be arcane *nix administration.  (Well, not really-- it can be done with about 3 commands on the console, but you have to know what you are doing.) 

Sadly, webhosting companies manage the server daemon group account policy and the file system security portions of administration. They just offer services like "Hey, We offer CGI/BIN legacy service/SQL database daemon service/PHP preprocessing service/ASP service/ etc." Then they control which implementations and version offered.

Unless toady wants to manage his own server (which I doubt he will do, because 1) It's expensive to pay for that kind of bandwidth, and 2) He doesnt *nix) there probably isn't much he can do about this exploit other than ask the hosts to please fix the daemon group and filesystem security on the webhost, and hope they listen to him.

[lethosor]

Just because the old nginx version was vulnerable doesn't mean that it was exploited to modify index.html, or that it's easy to do so. FTP or shell access could have been used somehow, for example (or something else; I don't know exactly what entry points are set up on the servers). I do agree that limiting nginx's write access is a good idea, but I haven't seen anything to suggest that it isn't (or is) already limited, or to what extent.
(Upgrading nginx is a good idea anyway, of course.)