RSS Feed
Latest Updates
Aug
16

Recently WANdisco received notification of a Critical Vulnerability in the SVN Client (CVE-2017-9800) and Git (CVE-2017-1000117). This could lead to a malicious third party being able to execute code on a git/svn server.

WANdisco recommends the use of SVN v1.8.19, v1.9.7 and Git v2.14.1, v2.7.6, v2.8.6, v2.9.5, v2.10.4, v2.11.3, v2.12.4, or v2.13.5 in which the vulnerability is patched.

Users of MSP will need to implement the recommendations listed in the SVN CVE until a patched version of MSP ships. GitMS does not have such a workaround, and as such our core recommendation would be to not run Git clients on your Git server. GitMS is receiving a priority release.

For MSP Users:

WANdisco’s server binaries that ship with SVN MultiSite Plus also contain the SVN client which may be able to execute the ssh command depending on configuration.

To mitigate, there is a method to prevent the ssh tunnelling exploit by editing the subversion config file for each user on the server:

# ssh = $SVN_SSH ssh -q

The entry above is present in this config file, and to prevent the exploit, you can uncomment this line and edit it thus:

ssh = $SVN_SSH ssh -q --

This change should be implemented as a default for any users on the SVN server that has the ability to run ssh commands. To do this you can make use of SVNs global configuration area on each server [1]

For GitMS Users:

WANdisco’s server binaries that ship with Git MultiSite include the Git client which, unpatched, may be able to execute the ssh command depending on your configuration.

Currently there is no mitigation to the Git defect short of patching the Git client with the fix.  WANdisco is currently testing a Git MultiSite release with a patched Git client. The fix should be out shortly.

In general, your administrators should not be using the Git client on the server to do work.  If they are doing so, you might ask them to stop until the Git MultiSite patch is installed.

There are still two ways that could be used to trigger the bug by some malicious user doing a push:

  1. Current hook scripts that are using Git+SSH
  2. Git Submodules

Please review your Git usage and be careful to eliminate or harden such usage. By “harden” we mean carefully validate the options used in the Git+SSH hook scripting, or by writing a new hook script to prevent malicious submodule statements from being pushed onto your server.

Please consult WANdisco support if you have any questions.

 

[1] http://svnbook.red-bean.com/en/1.7/svn.advanced.confarea.html#svn.advanced.confarea.layout This link describes Subversion 1.7, but the description is correct for all other versions as well.

 

References:

https://subversion.apache.org/security/CVE-2017-9800-advisory.txt

https://public-inbox.org/git/xmqqh8xf482j.fsf@gitster.mtv.corp.google.com/T/#u

 


Read more »



Aug
30
Platform notifications PLAT-943 & ACP-2603
Posted by Gordon Vaughan on 30 August 2016 02:55 PM

Please find below a couple of advisory notices that we would like your consideration and understanding on. It is important that these are read and understood at the appropriate level, so please ensure that all administrators of your WANdisco products are made aware to prevent any issues in future. As always, if there are any questions you are welcome to respond to this ticket and we’ll get back to you with any support needed as soon as possible.

 

PLAT-943 – Issues with ‘Voter Only’ nodes

Severity: Major

Affected product(s): Subversion MultiSite Plus and Git MultiSite

Content: The use of ‘Voter Only’ node type has been found to cause issues with nodes potentially encountering an non-graceful stop, which then invokes a failure to fully restart. The impact of the addition of a voter only node can result in a need to reinstall that node, resulting in a need for a maintenance window to resolve.

Context: WANdisco has, to date, not deployed any customer with an environment that makes use of the voter only node functionality, and furthermore has not recommended this to any customer. It is expected that any customer wishing to add new nodes would reach out to WANdisco and, with this current issue in mind, provide us the opportunity to steer away from this voter type. However, as the functionality exists for a customer to take this step without WANdisco engagement, it is important that we highlight this for all potential customers who could make this change.

Workaround/Recommendation: The workaround is simple; do not use the voter only role for any node. Should you be in a position where you have deployed a voter only node please contact WANdisco Support ASAP. This issue is expected to be fixed in a forthcoming release across both platforms affected.

 

ACP-2603 – GFR log file growth, rotation needed

Severity: Major

Affected product(s) – Access Control Plus

Content: It has been noted that GFR log files can grow very quickly, and as such WANdisco need to recommend that a rotation is put in place to ensure this does not impact Access Control Plus.

Context: While this is not a bug within Access Control Plus, the impact of this GFR log file growing can create serious issues for our product, and as such we must issue an advisory on rotation methodology.

Workaround/Recommendation: One such method, on some Linux distros, would be to create the file: /etc/logrotate.d/wandisco

 

With the following contents:

 

/opt/wandisco/git-multisite/replicator/gfr/log/*.log

/opt/wandisco/svn-multisite-plus/replicator/gfr/log/*.log

{

    rotate 31

    daily

    missingok

    nomail

    noshred

    compress

    delaycompress

    ifempty

    dateext

    dateformat _%Y%m%d

    maxsize 100k

    noolddir

}

The above will keep 31 log files, compress them 1 day after rotating them (gzip -9) and use name of "_YYYYMMDD.gz" (after compression).  Log rotation via the "logrotate" command is normally run via cron via the "/etc/cron.daily/logrotate" crontab file.  The logrotate command, itself, is normally configured via "/etc/logrotate.conf" to include all files in "/etc/logrotate.d".

WANdisco recommend implementing this as soon as possible to prevent issues in future.


Read more »



May
19

To enhance the usability and security of our support, WANdisco are delighted to announce a revamped system for retrieval of software downloads, and provision of logs / talkbacks and other larger documents beyond the 10MB size limit in our support ticket system, Kayako.

The new portal can be accessed via https://customer.wandisco.com/. To access this page you will need to have a valid product license. For those customers who do not purchase WANdisco products and have Subversion/Git support only, a bespoke license will be created and shared with you to obtain access.

Once the file is uploaded via the simple Drag-and-Drop and validated, you will have access to an easy-to-use portal that is securely tied to the license you provided. The Home page will present a list of the available software, with download ​links valid for ​a ​24 hour​ period. 

An Upload tab at the top allows you to manage Secure File Transfer Protocol (SFTP) accounts, complete with instructions for creation and maintenance of your SFTP accounts to gain access to the WANdisco sftp server sftp://sftp.wandisco.com.

There is also a specific Upload option for the ability to Drag and Drop files in for direct upload, or via Curl for files up to 50MB. Full instructions for each option are laid out within the portal itself.

The existing ​ftp/sftp server custftp.support.wandisco.com will expire on 1st June 2016. We would ask that this information is shared through the teams involved in the administration of your WANdisco Support portal to ensure awareness, and readiness for the change. If you have any issues with the new portal please contact the support team via the usual channel of https://support.wandisco.com for assistance.

 

Kind Regards,

Gordon Vaughan

Service Delivery Manager


Read more »



Dec
7
WANdisco File Distribution portal update
Posted by Gordon Vaughan on 07 December 2015 04:46 PM

As part of our drive for continuous improvement, WANdisco will shortly launch a revamped version of our File Distribution portal.

Having reviewed the existing portal, WANdisco recognised that the user experience was not ideal, with a particular barrier being that customers needed to keep a note of their custom URL, or contact support to obtain it. To that end we’ve made some changes that will ensure a single point of entry for all customers, and a more friendly UI experience all round.

From Thursday 10th December at 1400 GMT (0600 PST) the new version of FD will launch, and will be available at the fixed URL of https://customer.wandisco.com . On this screen, you will be presented with a file upload tool. This tool requires you to provide a copy of your license file, which must be valid to progress. Upon provision of a valid license key, the tool will recognise your company and entitlement from the file uploaded, and from there present the available installation files for download.

WANdisco expects that this revised portal will cause no issues for customers, as holding a valid license is absolutely necessary for installation of the software(s) presented. If, for any reason, you are missing your license file, please raise a ticket to the Support team via support.wandisco.com and the team will work to provide a license or clarify the situation as appropriate.

Kind Regards,

Gordon Vaughan

Service Delivery Manager


Read more »



Nov
19
Ticket change notice - attachment limit now set to 10MB
Posted by Gordon Vaughan on 19 November 2015 05:32 PM

WANdisco has recently experienced a surge in the number of tickets raised into our support portal with very large attachments. While our support portal is more than capable of handling the attachment sizes uploaded, the knock-on effect of this has been that emails from the support desk to our customers have been bounced due to sizing limits. This has given the potential for major communication issues, which is something neither WANdisco or our customers can countenance.

 

Having assessed all the options available and considered the impacts, we have deployed a 10MB file size limit on attachments via our portal, effective immediately. Any attempts to create or update tickets with files of this size or greater will result in a failure to upload, although the ticket text content will be received.

 

Should you have a need to send us a file sized 10MB or greater, please upload these to the shared space we have made available to you (FTP/SFTP). Should you be unfamiliar with this process, or require access, please contact the support team via the usual channels.

 

Thanks,

Gordon Vaughan

Service Delivery Manager - WANdisco


Read more »




Help Desk Software by Kayako fusion