Email recieved regarding security vulnerability

Ask your questions regarding TimeTrex installation here.
Post Reply
Rumbles
Posts: 16
Joined: Wed Oct 08, 2014 1:31 am

Email recieved regarding security vulnerability

Post by Rumbles »

Hi,

We recently (30th of Sept) received an email from Timetrex stating that there was a security vulnerability in some 3rd party library used by Timetrex and that we should update our installation.

Is it possible to get some further information about this vulnerability please? What 3rd party library is the cause? Is this connected or caused by the Shellshock bug that was discovered recently? If so, will updating bash on any system running Timetrex cover the bug?

I've had a quick look for some information about this on your site and here on the forum but I don't see anything regarding this issue.

Thanks,
shanec
Posts: 417
Joined: Thu Apr 25, 2013 8:22 am

Re: Email recieved regarding security vulnerability

Post by shanec »

The security vulnerability indicated in the bulletin that we sent out is unrelated to Shellshock. You must upgrade to the latest version of TimeTrex to correct the issue.
Rumbles
Posts: 16
Joined: Wed Oct 08, 2014 1:31 am

Re: Email recieved regarding security vulnerability

Post by Rumbles »

Hi,

Thanks for that, but is there any further information available?

Since our installation has been heavily modified by a previous manager, we cannot blindly upgrade and could do with knowing how serious the vulnerability is so we can grasp how urgent the need to update is.

Thanks
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Re: Email recieved regarding security vulnerability

Post by shaunw »

We won't be releasing more details until we give our customers more time to upgrade their own instances of TimeTrex.

Its a critical severity security vulnerability and we recommend that everyone upgrades as soon as possible. We wouldn't be saying that if it was a minor issue, its a critical issue, there is no higher level on the scale, if you don't upgrade you are putting yourself at risk, plain and simple. With data security/privacy laws as they are these days, not patching security vulnerabilities would put the entire company at risk, and the fact that you are aware of the issue and not fixing it is likely to be considered negligent in the eyes of the law if it were to ever come to that. Of course we hope that never happens.

If you modified TimeTrex in such a way that makes it difficult to upgrade you are doing it wrong (ie: not using the plugin system or proper methods), all software needs to be upgraded as bugs/issues are discovered and fixed, TimeTrex is no exception to that. If you don't have a easy way to upgrade you are painting yourself into a corner that will be very painful to get out of. If modifications are done properly upgrading shouldn't be a big deal at all. In fact the majority of customers modifying TimeTrex can continue to use the automatic upgrade system.

If you happen to be using a version of TimeTrex older then v7.0, you may want to consider contacting our support department to look into getting professional help, as older versions than that aren't supported for upgrading out-of-the-box and may require manual intervention anyways.
Rumbles
Posts: 16
Joined: Wed Oct 08, 2014 1:31 am

Re: Email recieved regarding security vulnerability

Post by Rumbles »

Thanks for the info, I look forward to you providing further information on the nature of this issue.

As I stated before, the installation of Timetrex has been heavily modified by a previous manager, who had a reputation for hacking software to get an end result that he needed at the time, without caring about future issues or upgrade paths. Since I've inherited this, I cannot go around updating software as it's likely to break all the crap he put in to it that others in the company now rely on. I'm just the poor fool who has to look after the mess he left behind.

Is there any documentation available on upgrading from versions earlier than version 7 at all? Ideally updating from version 3.x, as I believe one install is on version 3.6

Also, is there an easy way to find out exactly what version is currently installed? I've had a looked in the README, INSTALL, UPGRADE and LICENSE files, as well as one of the php files, but don't see anything confirming the version number.

Thanks
Rumbles
Posts: 16
Joined: Wed Oct 08, 2014 1:31 am

Re: Email recieved regarding security vulnerability

Post by Rumbles »

If it makes a difference the install is on a CentOS box
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Re: Email recieved regarding security vulnerability

Post by shaunw »

Rumbles wrote:Thanks for the info, I look forward to you providing further information on the nature of this issue.
Is there any documentation available on upgrading from versions earlier than version 7 at all? Ideally updating from version 3.x, as I believe one install is on version 3.6
There is not, as any versions older then one year are no longer supported, and the 3.x series dates back as far as 2009.
Rumbles wrote: Also, is there an easy way to find out exactly what version is currently installed? I've had a looked in the README, INSTALL, UPGRADE and LICENSE files, as well as one of the php files, but don't see anything confirming the version number.
When logged into TimeTrex, go to Help -> About.
Rumbles
Posts: 16
Joined: Wed Oct 08, 2014 1:31 am

Re: Email recieved regarding security vulnerability

Post by Rumbles »

Thanks, but the information you have provided contradicts your FAQs:

http://help.timetrex.com/index.php/Freq ... my_data.3F
The upgrade procedure is the exact same as the procedure performed during the initial installation, simply download the latest version from our website and install it over top of your existing TimeTrex folder. The installer will automatically detect this situation and perform the upgrade for you while retaining all of your data. You can upgrade from any older version to any newer version in a single step without a problem and the entire upgrade process usually takes around 5-10 minutes.
So will your updater work with this older version as your FAQs state, or will it just break?
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Re: Email recieved regarding security vulnerability

Post by shaunw »

It works with any supported versions, it may work with other versions, but we don't guarantee nor test it with versions older then 1 year.
Post Reply