Good news!  We are doing a network equipment upgrade in the Auckland data center we use.  We are also adding extra space there (more VPS hosts, more dedicated servers).

We have purchased, installed and configured new switches.  The new setup increases redundancy, enables us to support more features (e.g. excluding intra-data center traffic from your data transfer allowance) and adds capacity (when you are out of network ports you cannot add much gear!).

The new gear is already in place.  But we will need to physically move the server cables over to the new switches.  This requires an unplug at the old switch and a replug at the new switch.  No changes are required to the servers themselves.

A one hour maintenance window has been set aside, between 2am - 3am NZ time on Wed 29th May. We anticipate the actual impact will be a about 2-5 minutes of network disconnection while cables are moved and network routes update.

Affected account holders will have received a direct email for this notice. Please ensure you subscribe below if you wish to receive updates.

The vulnerability

There is a bug in some Linux kernels that lets a non-root user potentially gain root access.

Impact: Privileges escalation: any local user can gain root privileges.  (Read: "This is really bad.")

Affects: Linux kernels 2.6.37 till 3.8.9 (Note: the RimuHosting provided 3.0.20 kernel is patched against this exploit).  In addition some 2.6 Centos 6 kernels may be affected (since they back ported the bug to older kernel versions).

This vulnerability could be exploited if you have exploitable webapps (e.g. old versions of Joomla or Wordpress) or if you permit users you do not trust to log in (e.g. via ssh).  If you have no malicious users and no exploitable webapps then you should be OK (but it is still a very good idea to move to a fixed kernel).

Who is affected

We will be emailing customers who may be affected directly.

You may be affected if you have a regular dedicated server with us (depending on which kernel you are using).

You would be affected if you have a VPS and are using a vulnerable RimuHosting kernel.

It may be the case if you are using pv-grub on your VPS.  In which case either switch to a RimuHosting provided kernel, or update your VPSs kernel.

To see the kernel you are running, run uname -a on the command line.  For a VPS you can also load the http://rimuhosting.com/cp/vps/kernel.jsp page.

Resolutions for affected servers

If you have a VPS, change your kernel at http://rimuhosting.com/cp/vps/kernel.jsp .  We recommend the 3.0.20 kernel (which is patched against the vulnerability).

If you have a regular dedicated server, install a new kernel.  e.g. following your distro's regular approach.  Please check they have a patched kernel available (see references below).

If you need assistance changing your kernel (on your VPS or dedicated server) we are happy to help, just pop in a support ticket.  By default on a dedicated server we would just run a yum upgrade or apt-get dist-upgrade.

RimuHosting initiated kernel changes

We will not change VPSs running pv-grub.  Rather those customers will need to update their kernel to a non-exploitable one (e.g. the one provided by their distro).  Or switch to the RimuHosting 3.0.20 kernel.

We will not change dedicated server kernels by default.  Please contact us if you wish us to help changing those.

Because of the severity of the vulnerability we _will_ be changing VPS customers running a vulnerable kernel to the 3.0.20 kernel.  We will begin that process on Monday NZT (=Sunday for US and EU based customers).  This requires a VPS restart.

If you do not wish us to change your kernel, please reply to our email and tell us not to change your kernel.

If you change your kernel to a non-vulnerable one then we will not need to do the kernel change/server restart.

References

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2094
https://news.ycombinator.com/item?id=5703758

Debian dedicated servers: https://security-tracker.debian.org/tracker/CVE-2013-2094
Centos 6 dedicated servers: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2094
Ubuntu dedicated servers: http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2094.html and https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1179943