Doug:

 

I apologize for not responding to your post yesterday, but I was out of the office for most of the afternoon. I wanted to provide you additional information after discussing the situation with Michael Keane, K1MK.

 

You are correct; the website is indeed running on CentOS 5.10 / Apache 2.2.3. CentOS is, in the simplest of terms, the Linux operating system. The reason that we are still on CentOS 5.10 is that we need to do a full-scale risk reduction exercise to ensure that the Fathom website doesn't break upon upgrade to a more recent version of CentOS. And if it does break in the process, how to fix it.

 

However, the End-of-Life (EOL) for Maintenance Updates of CentOS 5.10 (and its Apache 2.2.3) is coming Mach 31, 2017 so we must plan on upgrading before then. The current security plan which was attached to the Report of the CFO as Appendix 2 includes all the tasks we need to do in 2015. This upgrade is not a priority for 2015. To do it this year would require us to eliminate/defer some of the steps in the current security plan or increase resources (inside or outside). Neither step is required immediately.

 

That said CentOS is being employed because it provides us with a degree of stability in our production environments.  Upgrading individual pieces of CentOS would defeat the purpose of employing it and would likely end up being a maintenance and update nightmare. Having packages in CentoS that are on the "Legacy Branch" is more advantageous from an operations perspective than the alternative of being on the "Bleeding Edge" and having applications continuously breaking.

 

And please understand, the packages in CentOS are in fact being updated with bug and security fixes from upstream, but without applying the sort of upgrades that add or subtract features and change the version number. This is a primary value-added in using the CentOS distribution: having a product team behind CentOS to provide the engineering judgment about which upgrades can safely be applied and which should not be. While CentOS 5 does employ an Apache server that has a feature set and version number that were frozen seven years ago-- it is most definitely NOT a seven year old version of Apache. The version of Apache 2.2.3 on the website was most recently updated with fixes from upstream that were released in April 2014. 

 

I realize this was a long answer but I thought it was important to bring all the details to light.

 

73,

 

Barry J. Shelley, N1VXY

Chief Financial Officer

ARRL, Inc.

The National Association for Amateur Radio

 

(860) 594-0212

www.arrl.org

 

 

 

 

 

From: arrl-odv [mailto:arrl-odv-bounces@reflector.arrl.org] On Behalf Of Rehman, Doug, K4AC
Sent: Monday, February 16, 2015 1:49 PM
To: arrl-odv
Subject: [arrl-odv:23969] Re: arrl.org is Down

 

It is rather concerning that the 503 page is indicating our server is running “Apache/2.2.3” which was released in July 2007. The current release of Apache 2.2 (the webserver software) is 2.2.29. Worse yet, 2.2 is a legacy branch of the software; the current software branch is 2.4 with the current release being 2.4.12.

 

I have brought up on this reflector and in person at Board Meetings for more than 8 months that a cornerstone of IT security is running up to date software. We’ve already been hacked twice before, at least one of which was likely due to substantially outdated software. Yet we still have a server running on seven year old software???????????????????????????????????????????????????????????

 

Doug

K4AC