The security team here in VisibleThread regularly monitor the Ubuntu security notices and following on from our 'Shellshock' security announcement (http://support.visiblethread.com/entries/56131579-Linux-Bash-Vulnerability-aka-Bash-bug-or-Shellshock-Security-Update-September-25-2014), there have been some further security updates to the Ubuntu operating system that you may wish to apply.
Note These security updates only apply to customers who are using the LTS version of the Ubuntu Operating System. If you are unsure which version you are using, contact our support team at email@example.com
In particular the following Critical security fixes have been made available:
1. **USN-2393-1** Wget vulnerability (http://www.ubuntu.com/usn/usn-2393-1/)
2. **USN-2385-1** OpenSSL vulnerabilities (http://www.ubuntu.com/usn/usn-2385-1/)
3. **USN-2389** libxml vulnerability (http://www.ubuntu.com/usn/usn-2389-1/)
4. **USN-2399** curl vulnerability (http://www.ubuntu.com/usn/usn-2399-1/)
These and other security updates can be applied by running the 'security-update.sh' script on our VM:
This script will download the latest security updates from Ubuntu and apply them (it may take several minutes)
SSL v3 Vulnerability
A security flaw has been discovered in the SSL v3 protocol that is used to encrypt all communications between web browsers and servers (http://www.rapid7.com/db/vulnerabilities/sslv3-supported). SSL v3 is one of the protocols that is supported by the VisibleThread server for securing communications between the web browser and the VisibleThread server.
As this is a flaw in the SSL v3 protocol design, a configuration change is required on the VisibleThread VM to remove SSL v3 as a supported protocol. Steps to do this are outlined below. Note that some older browsers such as Internet Explorer 6 require SSL v3 in order to use the HTTPS protocol. Applying this configuration change may make the VisibleThread application unstable in IE6.
Steps to remove SSL v3 from the VisibleThread VM
Log in to the VM console and type the following commands:
mkdir /home/visiblethread/oldapacheconfig cp /etc/apache2/sites-enabled/000-default /home/visiblethread/oldapacheconfig
Now ftp the attached file to the /home/visiblethread directory on the VM the file should be called 'newapacheconfig'
Once the file is in place we need to copy it to the appropriate folder
sudo mv /home/visiblethread/newapacheconfig /etc/apache2/sites-enabled/000-default
Now we need to restart the apache service
sudo service apache2 restart