We have also included MongoDB Drivers for PHP, but they are not installed by default. If you wish to use them, they need installing for each PHP version required.
# PHP 5.5 sudo apt-get install php55rc-pecl-mongodb sudo systemctl reload php55rc-fpm # PHP 5.6 sudo apt-get install php56rc-pecl-mongodb sudo systemctl reload php56rc-fpm # PHP 7.0 sudo apt-get install php70rc-pecl-mongodb sudo systemctl reload php70rc-fpm # PHP 7.1 sudo apt-get install php71rc-pecl-mongodb sudo systemctl reload php71rc-fpm # PHP 7.2 sudo apt-get install php72rc-pecl-mongodb sudo systemctl reload php72rc-fpm
PHP 7.2 includes support for a new password hashing algorithm Argon2. Argon2 was the winner of the Password Hashing Competition (PHC) in July 2015. Note that the Argon2 module is only available for PHP 7.2 and therefore doesn’t support PHP 7.1 and below.
To benefit from the update you don’t have to do anything inside your server, because it has been taken care of by Servermeister.
If you want to use Argon2 inside PHP 7.0 and PHP 7.1, you can manually compile it from PHP Argon2 Ext. The Argon2 library is available inside our repository. You just have to download them to compile your own Argon2 module.
sudo apt-get install libargon2-1-dev
A new class of side-channel attacks have been appeared, which exploit the following CPU vulnerabilities:
- CVE-2017-5715 : branch target injection
- CVE-2017-5753 : bounds check bypass
- CVE-2017-5754 : rogue data cache load
Meltdown and Spectre rely on them and allow the hackers to read the memory content of other programs, it means they can access the stored sensitive data like passwords, photos, emails, secret documents, etc.
The original coordinated disclosure date of this issue was planned for January 9, but the issue became public 6 days earlier.
Both are side effect attacks, but there’s a bit difference between them:
Memory isolation is the basis of the security on computers. It prevents that different user applications can access each other’s memories and read/write the kernel memory. That’s why multiple users can use one single machine safely.
Meltdown breaks this isolation and gives a single way to read the kernel memory (from user space), including all the secrets in it. It doesn’t exploit any software vulnerabilities, so it doesn’t matter what kind of operating system are you using.
The biggest strength of Meltdown is the side effects caused by out-of-order execution*.
* It’s an optimization technique for maximizing the utilization of all execution units of a CPU core as exhaustive as possible.
CVE-2017-5715 and CVE-2017-5753
This attack induces the processor with branch prediction for achieving speculatively executing* instructions, which shouldn’t have occurred during a correct program execution. This way, the information of the victim’s memory can be leaked.
Spectre attack can work on non-Intel processors too, such as AMD and ARM processors.
For the hackers, this technique is more difficult but also harder to mitigate it. Unfortunately, KAISER patch cannot protect against them.
*It’s a technique to increase the performance of the high-speed processors.
No one is safe
To the server owners, we raise the attention to do everything you can in order to take care of your servers’ security, as there are no patches for Ubuntu and Debian yet, only for the following distros *:
- RHEL 7.x
- CentOS 7.x
- Fedora 26/27
- Debian stretch
- Arch Linux
- Gentoo Linux
SUSE also released patches for most recent SUSE Linux Enterprise (SLE) versions yesterday.
Desktops, laptops, smartphones, tablets, cloud devices, servers… All of them are endangered by Meltdown and Spectre .
Also, once you have been attacked, it’s hard to detect, as none of these attacks leaves traces in the traditional log files. It’s not easy to distinguish them from regular benign applications, so antivirus cannot solve the problem.