Month: February 2015

Categories
Uncategorized

Updating to Apache 2.4.12.

同一記事の日本語版

   Apache HTTP Server 2.4.12 was released. It includes four security patches for CVE-2014-3583, CVE-2014-3581, CVE-2014-8109 and CVE-2013-5704. In the httpd-ssl.conf the following lines were added. There was no release of 2.4.11.

  • # OCSP Stapling (requires OpenSSL 0.9.8h or later)
    #
    # This feature is disabled by default and requires at least
    # the two directives SSLUseStapling and SSLStaplingCache.
    # Refer to the documentation on OCSP Stapling in the SSL/TLS
    # How-To for more information.
    #
    # Enable stapling for all SSL-enabled servers:
    #SSLUseStapling On

    # Define a relatively small cache for OCSP Stapling using
    # the same mechanism that is used for the SSL session cache
    # above. If stapling is used with more than a few certificates,
    # the size may need to be increased. (AH01929 will be logged.)
    #SSLStaplingCache “shmcb:c:/Apache24/logs/ssl_stapling(32768)”

    # Seconds before valid OCSP responses are expired from the cache
    #SSLStaplingStandardCacheTimeout 3600

    # Seconds before invalid OCSP responses are expired from the cache
    #SSLStaplingErrorCacheTimeout 600

   The version was built with openssl-1.0.1l, so the issues told by OpenSSL Security Advisory [08 Jan 2015] were fixed.

   I downloaded httpd-2.4.12-win32-VC11.zip from the ApacheLounge for my Windows7 server. If you need the information about Apache 2.4.x configuration on Windows, see my post ‘To create a Wamp-like Web Server in Windows7-#1.’.

Categories
Vulnerability

I remove Google AdSense until Adobe Flash Player new version coming.

同一記事の日本語版
Update information      Edit(Feb.5)    Edit2(Feb.7)

   Hey guys! I remove Google AdSense until Adobe Flash Player new version coming. Google AdSense is nothing wrong. But it sometimes includes bad sites. At this time, I mean until CVE-2015-0313 fixed, it might have a site which is infected hxxp://www.retilio.com/skillt.swf, Trend Micro calls it SWF_EXPLOIT.MJST. This bad swf spreads rapidly through popular sites, for example, Dailymotion, etc.

   When Adobe Flash Player new version reaches to us, I’ll restore Google AdSense to my sites. m(_”_)m

Edit(Feb.5):
   Hi, they released Adobe Flash Player new version. Now (16:00JST), I’ve confirmed I have the new version 16.0.0.305 on my IE, FireFox and Google Chrome. I strongly recommend everybody updates to the new version immediately.

   I’ll restore Google AdSense to my sites within a few days.

Edit2(Feb.7):
   Google AdSense has been restored.

Categories
Linux

First VPS #7 : How to use the repository for my own.

同一記事の日本語版

   Last time, I created a repository for my own. This time, I’ll write ‘How to use the repository’.

   Log in a CentOS7 I want to use the repository on, for example the VPS, the VM for development environment, and so on.

  1. Install ‘yum-plugin-priorities’.
    Because Base, Updates and Extras repositories have high priority, CentOS doesn’t use my repository package if the same rpm package exists in these three repositories when they are enabled and aren’t changed their priorities. Of course, you can handle this by manual each time, but I prefer using ‘yum-plugin-priorities’ for my frequently used repositories.
    $ sudo yum install yum-plugin-priorities
     
    I think you have to set their priority for frequently used repositories. How do we know what repositories we enable? You can get the information by the next command.
    $ yum repolist
     
    If you do ‘yum repolist all’, you can get the information about all repositories configured.
  2. Create a myrepo.repo in the directory /etc/yum.repos.d.
    $ sudo vi /etc/yum.repos.d/myrepo.repo
    Its text is the followings.
    [myrepo]
    name=o6asan’s original RPM packages
    baseurl=http://www17130ue.sakura.ne.jp/~myrepo/x86_64/
    gpgcheck=1
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-o6asan
    priority=1
  3. Add ‘priority=2‘ to the last line of [base], [updates] and [extras] in /etc/yum.repos.d/CentOS-Base.repo.
  4. $ wget http://www17130ue.sakura.ne.jp/~myrepo/x86_64/RPM-GPG-KEY-o6asan
    $ sudo mv RPM-GPG-KEY-o6asan /etc/pki/rpm-gpg/

   Now, I’m ready to use my repository. When I use my repository at the first time, CentOS7 asks about importing RPM-GPG-KEY-o6asan and imports it if I give ‘yes’.

Note) How to delete GPG public key from a client PC.
   The client PC doesn’t have the private key. So ‘gpg --delete-key <email@address>’ gives ‘Unknown system error’. The next command works.
  $ sudo rpm -e [package]

   For that, you need an exact package name. You can get it by the following.
  $ rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}n'

   For example, you have the following about CentOS-7 Key.
  gpg-pubkey-f4a80eb5-53a7ff4b –> gpg(CentOS-7 Key (CentOS 7 Official Signing Key) )
   So you can delete it by the next command.
  $ sudo rpm -e gpg-pubkey-f4a80eb5-53a7ff4b