Get the most out of your Centmin Mod LEMP stack
Become a Member

Security wget 1.20.3 security fix release

Discussion in 'Centmin Mod News' started by eva2000, Apr 7, 2019.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    9:52 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Wget has in a span of a few days released two security fix versions 1.20.2 and 1.20.3 (buffer overflow vulnerability CVE-2019-5953).
    • Below are instructions specific and different for 2 versions of Centmin Mod, 123.08stable and 123.09beta01.
    • Centmin Mod 123.08stable may eventually require upgrading and switching to 123.09beta01 as the wget auto update routine in 123.08stable much older. It may work with wget 1.20.3 but if you have problems, then switching to 123.09beta01 is only way right now. If you are concerned with your customisations being lost, read how to backup customisations before upgrading at How to upgrade Centmin Mod + backing up customisations.

    Centmin Mod 123.09beta01



    Centmin Mod 123.09beta01 and newer versions can do auto update for wget when you update Centmin Mod code locally via cmupdate command and then do a re-run of centmin.sh menu once and then exit the centmin.sh menu via option 24.

    Commands to run are
    Code (Text):
    cmupdate
    cmdir
    ./centmin.sh

    or
    Code (Text):
    cmupdate
    cd /usr/local/src/centminmod
    ./centmin.sh
    

    or
    Code (Text):
    cmupdate
    centmin
    

    all 3 variations do the same thing update Centmin Mod and run centmin.sh menu and then run centmin.sh menu option 24 to exit.

    example of when you run centmin.sh menu option and it detects a newer wget version 1.20.3
    Code (Text):
    ./centmin.sh
    
    update wget 1.20.3 & pcre 8.43 version... one time task
    

    it will compile updated wget 1.20.3 with required pcre version and complete with the version installed and time it took to install it and return you back to centmin.sh menu where you can exit
    Code (Text):
    --------------------------------------------------------
    wget 1.20.3 installed at /usr/local/bin/wget
    https://community.centminmod.com/tags/wget/
    --------------------------------------------------------
    
    Total wget Install Time: 58.561466041 seconds
    --------------------------------------------------------
         Centmin Mod Menu 123.09beta01 centminmod.com    
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB MySQL Upgrade & Management
    12). Zend OpCache Install/Re-install
    13). Install/Reinstall Redis PHP Extension
    14). SELinux disable
    15). Install/Reinstall ImagicK PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: zstd,pigz,pbzip2,lbzip2
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Install/Re-Install
    21). Update - Nginx + PHP-FPM + Siege
    22). Add Wordpress Nginx vhost + Cache Plugin
    23). Update Centmin Mod Code Base
    24). Exit
    --------------------------------------------------------
    Enter option [ 1 - 24 ]
    


    Centmin Mod 123.08stable




    For Centmin Mod 123.08stable or earlier, the wget update routine is much older, so it may work with wget 1.20.3 but if you have problems so only way right now is to switch and upgrade from Centmin Mod 123.08stable to 123.09beta01 using following steps. If you are concerned with your customisations being lost, read how to backup customisations before upgrading at How to upgrade Centmin Mod + backing up customisations

    How to update wget 1.20.3 within 123.08stable branch ?


    1. setup git environment via centmin.sh menu option 23 submenu 1
    2. then centmin.sh menu option 23 submenu option 2 to update 123.08stable to latest code
    3. then exit centmin.sh menu via option 24
    4. then launch centmin.sh once and let wget auto update
      Code (Text):
      cd  /usr/local/src/centminmod
      ./centmin.sh

      once complete, exit centmin.sh

    How to switch from 123.08stable to 123.09beta01 branch ?



    If you're using Centmin Mod 1.2.3-eva2000.08 stable release (123.08stable branch) and wget 1.20.3 update routine doesn't work on centmin.sh launch outlined above in How to update wget 1.20.3 within 123.08stable branch ? section, then you have to switch to Centmin Mod 123.09beta01 for wget auto update to work. Switching from 123.08stable branch to 123.09beta01 branch is easy via centmin.sh menu option 23 submenu option 3 (you can switch between 123.09beta01 back to 123.08 stable via same submenu option 3 too).

    launch centmin.sh via cmd shortcut = centmin or via command in SSH below or check out dedicated menu page and youtube video on how to invoke centmin.sh.
    Code (Text):
    cd  /usr/local/src/centminmod
    ./centmin.sh


    If you already have git environment via centmin.sh menu option 23 submenu 1, go straight to centmin.sh option 23 submenu option 3. If you have yet to run centmin.sh option 23 submenu option 1, follow guide at centminmod.com/upgrade.html and ensure you run centmin.sh menu option 23 submenu option 1 first and then exit centmin.sh. Then log out and log back into SSH window session to complete the process before proceeding further.

    Code (Text):
    --------------------------------------------------------
    Centmin Mod 1.2.3-eva2000.08 - http://centminmod.com
    --------------------------------------------------------
                       Centmin Mod Menu
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
    12). Zend OpCache Install/Re-install
    13). Install ioping.sh vbtechsupport.com/1239/
    14). SELinux disable
    15). Install/Reinstall ImagicK PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: pigz,pbzip2,lbzip2...
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Re-install
    21). Update - Nginx + PHP-FPM + Siege
    22). Add Wordpress Nginx vhost + WP Super Cache
    23). Update Centmin Mod Code Base
    24). Exit
    --------------------------------------------------------
    Enter option [ 1 - 24 ] 23
    --------------------------------------------------------


    centmin.sh option 23 submenu option 3 will list out all available remote branches on github in date descending order with most recently updated remote branch at top and prompt you to enter the branchname you want to switch to which in this case is 123.09beta01

    Code (Text):
    --------------------------------------------------------
            Centmin Mod Updater Sub-Menu
    --------------------------------------------------------
    1). Setup Centmin Mod Github Environment
    2). Update Centmin Mod Current Branch
    3). Update Centmin Mod Newer Branch
    4). Exit
    --------------------------------------------------------
    Enter option [ 1 - 4 ] 3
    --------------------------------------------------------
    
    fetching latest branch list...
    
    Update Centmin Mod to newer branch via git
    You need to input the name of the branch
    List of current remote branches by descending date order
    
    123.09beta01
    123.08stable
    
    Enter the branch name you want to switch to i.e. 123.09beta01 : 123.09beta01
    
    download github.com centmin mod 123.09beta01 branch repo
    time git clone -b 123.09beta01 --depth=1 https://github.com/centminmod/centminmod.git centminmod
    Cloning into 'centminmod'...
    
    real    0m1.634s
    user    0m0.280s
    sys     0m0.136s
    
    list all available local branches
            git branch -a
    * 123.09beta01
      remotes/origin/123.09beta01
    
    list git log last commit
            git log -a
    commit 071704dc6e8548c184d55080eda4a00abbf9e9e8
    Author: George Liu <snipped>
    Date:   Mon May 29 11:19:36 2017 +1000
    
        update inc/updater_submenu.inc
    
        exclude some branches for change branch listing
    
    to update centmin mod 123.09beta01 branch repo via git
            cd /usr/local/src/centminmod
            git stash
            git pull
            chmod +x centmin.sh
    
    ####################### IMPORTANT #######################
     To complete update
    ####################### IMPORTANT #######################
     run:
    
      cd /usr/local/src/centminmod
    
     before invoking centmin.sh again
    ####################### IMPORTANT #######################
    


    once switched to Centmin Mod 123.09beta01, exit centmin.sh. Then log out and log back into SSH window session to complete the process

    Then run either one of the variants of commands to update

    Code (Text):
    cmupdate
    cmdir
    ./centmin.sh

    or
    Code (Text):
    cmupdate
    cd /usr/local/src/centminmod
    ./centmin.sh
    

    or
    Code (Text):
    cmupdate
    centmin
    

    all 3 variations do the same thing update Centmin Mod and run centmin.sh menu and then run centmin.sh menu option 24 to exit.
     
    Last edited: Apr 7, 2019
  2. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    9:52 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Why does Centmin Mod source compile wget ?



    Folks may ask why does Centmin Mod source compile wget instead of relying on CentOS YUM repo's version of wget ? Redhat/CentOS YUM repo versions of wget are much older and only get backported fixes via minor version increments i.e. CentOS 7 wget YUM package version is wget-1.14-18 with -18 increment in minor versions.
    Code (Text):
    rpm -qa wget
    wget-1.14-18.el7.x86_64
    

    looking at CentOS 7 wget YUM package's change log first 8 entries as change log is in reverse descending order with latest entry first which shows last wget update for CentOS wget YUM package is May 9, 2018 to fix security issue CVE-2018-0494.
    Code (Text):
    rpm -qa wget --changelog | head -n8
    * Wed May 09 2018 Tomas Hozza <thozza@redhat.com> - 1.14-18
    - Fix CVE-2018-0494 (#1576106)
    
    * Mon Apr 23 2018 Tomas Hozza <thozza@redhat.com> - 1.14-17
    - Fix segfault when Digest Authentication header is missing 'qop' part (#1545310)
    
    * Tue Oct 24 2017 Tomas Hozza <thozza@redhat.com> - 1.14-16
    - Fixed various security flaws (CVE-2017-13089, CVE-2017-13090)
    

    For Redhat/CentOS the wget 1.20.3 fix CVE-2019-5953 only applies to Redhat/CentOS 7 and not 5 or 6 according to 1695679 – (CVE-2019-5953) CVE-2019-5953 wget: Buffer overflow vulnerability but they have yet to release a wget YUM update yet. It will come just the delays are inherent when using YUM and package managers compared to direct source compilation like Centmin Mod LEMP stack does for important critical software like wget, nginx and php-fpm.

    Basic summary is:
    1. YUM updates sometimes are delayed, so Centmin Mod uses more up to date wget version as wget security is important as it's the front line entry window for download files and source code that gets installed on the server.
    2. CentOS's version of wget via YUM repo is still installed at /usr/bin/wget
      Code (Text):
      /usr/bin/wget -V
      GNU Wget 1.14 built on linux-gnu.
      
      +digest +https +ipv6 +iri +large-file +nls +ntlm +opie +ssl/openssl 
      
      Wgetrc: 
          /etc/wgetrc (system)
      Locale: /usr/share/locale 
      Compile: gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc" 
          -DLOCALEDIR="/usr/share/locale" -I. -I../lib -I../lib -O2 -g -pipe 
          -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong 
          --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic 
      Link: gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions 
          -fstack-protector-strong --param=ssp-buffer-size=4 
          -grecord-gcc-switches -m64 -mtune=generic -lssl -lcrypto 
          /usr/lib64/libssl.so /usr/lib64/libcrypto.so /usr/lib64/libz.so 
          -ldl -lz -lz -lidn -luuid -lpcre ftp-opie.o openssl.o http-ntlm.o 
          ../lib/libgnu.a 
      

    3. However, Centmin Mod source compiles more up to date wget version at /usr/local/bin/wget and a command alias is setup in /root/.bashrc mapping wget command to /usr/local/bin/wget. This allows both wget YUM version and Centmin Mod source compiled wget versions to co-exist simultaneously.
      Code (Text):
      alias wget='/usr/local/bin/wget'

      Code (Text):
      /usr/local/bin/wget -V
      GNU Wget 1.20.3 built on linux-gnu.
      
      -cares +digest -gpgme +https +ipv6 -iri +large-file -metalink +nls 
      +ntlm +opie -psl +ssl/openssl 
      
      Wgetrc: 
          /usr/local/etc/wgetrc (system)
      Locale: 
          /usr/local/share/locale 
      Compile: 
          ccache gcc -std=gnu11 -DHAVE_CONFIG_H 
          -DSYSTEM_WGETRC="/usr/local/etc/wgetrc" 
          -DLOCALEDIR="/usr/local/share/locale" -I. -I../lib -I../lib -I 
          /usr/local/include -I /usr/include -DHAVE_LIBSSL -DNDEBUG -O2 -g 
          -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions 
          -fstack-protector-strong --param=ssp-buffer-size=4 
          -grecord-gcc-switches -m64 -mtune=generic 
      Link: 
          ccache gcc -std=gnu11 -I /usr/local/include -I /usr/include 
          -DHAVE_LIBSSL -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 
          -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 
          -grecord-gcc-switches -m64 -mtune=generic -L /usr/local/lib -lpcre 
          -luuid -L /usr/lib64 -lssl -lcrypto -lz ftp-opie.o openssl.o 
          http-ntlm.o ../lib/libgnu.a 
      
     
    Last edited: Apr 7, 2019
Thread Status:
Not open for further replies.