These were publicized without our prior knowledge of them about to be published, the fixes should have been properly tested upfront but are now being implemented without testing.
Somethings are almost guaranteed to break, and somethings will become harder to manage.
These changes also allows server abusers to get away much easier.

Someone publicized a small potential attack vector for information leaks on user files. These settings were present for a long time, and initially required for SSH authorized keys to function.
To exploit this you need to know filename, and the file's permissions have to be set for OTHER read or write. Some applications may default to these permissions.
This has been fixed now, but it is possible some things will break as a  result.

Second is that process names can sometimes reveal another user IP address. Further, seeing running processes made usernames easily visible for attempting the above.
Hiding processes does not explicitly disallow seeing other people's usernames, but does stop ProFTPD from leaking user IPs.
This will also likely cause all kinds of management headaches, and will also allow server abusers to hide just a little bit longer.

Further, this forces us to skip normal rolling updates and quality assurance software wise. Also might force us to spend the next 8 weeks updating every older server manually. We are investigating can all these changes be implemented without upheaving thousands of users all of sudden.

You can see changes at: https://wiki.pulsedmedia.com/index.php/PM_Software_Stack

**UPDATE** This got fixed in less than 2hrs of information reaching us, and in ~3hrs of public disclosure.




شنبه, March 12, 2022

« برگشت