Ghost, really again ?!

Hello!

Already many words have been said about the "new" vulnerability of the glibc library with the mysterious name Ghost.

For this reason, I will not take your time on the description and possible solutions to eliminate the vulnerability of your ward systems, but I will offer some information on how to fix this vulnerability in our products, Kerio Connect, Kerio Control and Kerio Operator.

So, let's start with our distribution package, Kerio Connect Virtual Appliance, inside which runs quite a full-fledged Debian Wheezy (Kerio Connect VMapp 8.3.x and newer versions) or Debian Squeeze (Kerio Connect VMapp 8.2.x versions and older).
')
In general, the procedure does not differ from that already presented on Habré and other resources , however, in the case of VMapp Kerio Connect, you need to make small changes to the list of repositories in use, if you have not done this before, of course.

In the terminal, enter the following command:

sudo nano /etc/apt/sources.list 

For Debian 7 (Wheezy), this file should contain:

 deb http://ftp.debian.org/debian wheezy main deb-src http://ftp.debian.org/debian wheezy main deb http://ftp.debian.org/debian wheezy-updates main deb-src http://ftp.debian.org/debian wheezy-updates main deb http://security.debian.org/ wheezy/updates main deb-src http://security.debian.org/ wheezy/updates main 

For Debian 6 (Squeeze), this file should contain:

 deb http://ftp.debian.org/debian/ squeeze main contrib deb-src http://ftp.debian.org/debian/ squeeze main contrib deb http://security.debian.org/ squeeze/updates main contrib deb-src http://security.debian.org/ squeeze/updates main contrib deb http://ftp.debian.org/debian squeeze-lts main contrib deb-src http://ftp.debian.org/debian squeeze-lts main contrib 

With our other products, Kerio Control and Kerio Operator, and their Software and Virtual Appliance distributions, the situation is somewhat different, because Distributions themselves are based on a stripped-down version of Debinan Linux Wheezy, they carry the vulnerable glibc library.

However, in the case of Kerio Control distributions, the vulnerability cannot be exploited because Kerio Control has its own DNS forwarding module. At the same time, the service release of Kerio Control 8.4.3, which contains the revised library, will be published on our automatic update servers within a couple of days.

Kerio Operator distributions, up to version 2.3.4, in the case of preserving the standard configuration of the embedded ip tables, are subject to vulnerability, but only within the local network.

The Kerio Operator 2.3.4 patch 1 service release will be available on our automatic update servers during the day from the current date.

To maintain an acceptable level of security, we do not recommend that Kerio Operator administrators make changes to the built-in ITU settings in Kerio Operator, nor use the phone provisioning feature in public networks, which is also a standard recommendation to our users.


After the publication of the corresponding versions of distributions, we will post links to download them in our blog.

Also, for the most rapid information on this vulnerability and its impact on the products of the company Kerio, follow a specially created page .

Thanks for attention! We wish all, quiet "Internet"!

As we promised, the service releases of Kerio Control and Kerio Operator have already been published with version numbers 8.4.3 and 2.3.4 patch 1, respectively.
You can upgrade either through the administration interface of the corresponding product:



Or by downloading the image for updating from our website www.kerio.ru from the Support / Kerio Control or Kerio Operator item