PDA

View Full Version : Security Issues?



globaled
09-27-2005, 03:37 PM
Since Miva 5.0 was installed (July 20, 2005) I have been unable to run the upgrade procedure provided by miva. This turned out to be a hosting issue and westhost has been aware of the problem since about the same time. This did not concern me while there were no updates so I waited patiently for westhost to fix the problem (2 MONTHS)! On 9/13/05 miva provided an update patch to fix a security issue - 2 WEEKS AGO -. Westhost has been aware of this for 2 weeks and still has not corrected the problem. Since my site is not 'live' - yet - I'm not worried about the security problem. I am wondering, though, why nothing has been done and if anyone else has had this problem?

WestHost - TErnstrom
09-28-2005, 08:39 AM
globaled,

The Auto-Update piece in Miva Merchant 5 requires the use of OpenSSL 0.9.7 or later. The WestHost VDS has version 0.9.6b (distributed with RedHat) installed. Although various patches and updates have been made to version 0.9.6b, making it equivilent in security and functionality to 0.9.7, the version number has not changed.... and Miva doesn't like it.
We upgraded the version of SSL (used by SharedSSL) on our servers to version 0.9.7 hoping that would solve the problem. Miva still does not like it.
The next step is to create a new Site Application in the VDS for Open SSL 0.9.8 (latest version). Unfortunantely, there are so many things dependent on the redhat installation of OpenSSL that we can't simply update it across the board (doing so would break much of the functionality in Site Manager). The OpenSSL Site Application is in the early stages of development, but much testing will have to be done before it can be released. At this point we can only be hopeful that it will solve the Auto Update issue for Miva Merchant 5 clients.

Please know that WestHost is making every effort possible to remedy this issue. We apologize for the length of time it is taking, we would also like to see the issue resolved soon.

WestHost - TErnstrom
10-05-2005, 03:25 PM
An update for those interested...

It seems that the auto update for Miva 5 only uses 2 libraries from OpenSSL 0.9.7. These libraries are:
- libssl.so
- libcrypto.so

Testing has shown that we can install version 0.9.7 to an alternate location within the VDS and then repoint miva.conf to the needed libraries in the 0.9.7 directory.

So far we have seen that the auto update fails with OpenSSL version 0.9.8 (the latest). Miva has yet to be able to explain this behavior.
We hesitate creating a new Site Application for OpenSSL 0.9.7 because it is not the latest version. We are hopeful to get an explanation and/or resolution from Miva shortly.

WestHost - TErnstrom
10-18-2005, 09:02 AM
This afternoon, all accounts with Miva Merchant 5 currently installed will be receiving an update to their install of Miva that includes the OpenSSL 0.9.7 libraries needed to run AutoUpdate. You will not need to install or modify anything, the patch will automatically be applied.

Additionally, the Miva Merchant 5 site applications will be modified to reflect the change, and anyone installing it in the future will also receive this fix.

Thanks for your patience in this matter.

proaudiogear4less
10-18-2005, 09:18 AM
Great news!
Thanks for te heads-up.
I'll look forward to getting my store updated and patched.

MFlow_Mark
11-16-2005, 04:45 PM
This afternoon, all accounts with Miva Merchant 5 currently installed will be receiving an update to their install of Miva that includes the OpenSSL 0.9.7 libraries needed to run AutoUpdate. You will not need to install or modify anything, the patch will automatically be applied.

Additionally, the Miva Merchant 5 site applications will be modified to reflect the change, and anyone installing it in the future will also receive this fix.

Thanks for your patience in this matter.

Hi, sorry to bother you, but could you detail the files from OpenSSL 0.9.7 that you used to repair this issue? We are hosting our own site and I cannot get any updates because of this issue. We do not have a support contract with Miva so they won't give me the time of day.

WestHost - DLong
11-18-2005, 09:05 AM
The following are the procedures that the development team followed in order to allow Miva 5 to use OpenSSL:

1. Download the OpenSSL 0.9.7 source file to your home directory:
a. wget: http://www.openssl.org/source/openssl-0.9.7.tar.gz
2. Create openssl directory within mm5 directory:
a. cd ~/www/mm5
b. mkdir openssl
3. Extract the openssl libraries
a. tar xzf ~/openssl-0.9.7.tar.gz -C ~/www/mm5/openssl
4. Configure the miva.conf file, located at /etc/httpd/conf/miva.conf, by changing the following variables
a. SetEnv MvCONFIG_SSL_OPENSSL /home/<vps user>/www/mm5/openssl/lib/libssl.so
b. SetEnv MvCONFIG_SSL_CRYPTO /home/<vps user>/www/mm5/openssl/lib/libcrypto.so

The development team has also updated the Miva Merchant engine, also known as Empressa, to 5.03. We have had reports that updating the engine will allow Miva 5 to work with the OpenSSL 0.9.6 libraries.

MFlow_Mark
11-18-2005, 02:08 PM
The following are the procedures that the development team followed in order to allow Miva 5 to use OpenSSL:

1. Download the OpenSSL 0.9.7 source file to your home directory:
a. wget: http://www.openssl.org/source/openssl-0.9.7.tar.gz
2. Create openssl directory within mm5 directory:
a. cd ~/www/mm5
b. mkdir openssl
3. Extract the openssl libraries
a. tar xzf ~/openssl-0.9.7.tar.gz -C ~/www/mm5/openssl
4. Configure the miva.conf file, located at /etc/httpd/conf/miva.conf, by changing the following variables
a. SetEnv MvCONFIG_SSL_OPENSSL /home/<vps user>/www/mm5/openssl/lib/libssl.so
b. SetEnv MvCONFIG_SSL_CRYPTO /home/<vps user>/www/mm5/openssl/lib/libcrypto.so

The development team has also updated the Miva Merchant engine, also known as Empressa, to 5.03. We have had reports that updating the engine will allow Miva 5 to work with the OpenSSL 0.9.6 libraries.


Thank you so very much for this very important information :) I really appreciate it...

Cheers