Archive

Posts Tagged ‘redhat’

CVE-2010-3081: 64bit Linux Kernel Root Exploit

September 20th, 2010 1 comment

Well its been a heavy week on the security front, first up is a Linux root exploit for 64bit Machines.

A vulnerability in the 32-bit compatibility layer for 64-bit systems was reported. It is caused by insecure allocation of user space memory when translating system call inputs to 64-bit. A stack pointer underflow can occur when using the “compat_alloc_user_space” method with an arbitrary length input.

What does that mean? Essentially, some sanity checks in the compat_alloc_user_space function to check the length and ensure that the pointer to the block of memory is within the user-space of the process is valid was missing. The fix has already been committed but if you are running any x64 versions of Linux, make sure you update your Kernel – especially now that the exploit code is publicly available!

Read up on the exploit by Jeff Arnold from Ksplice and use this very useful CVE-2010-3081 high-profile exploit detection tool to determine if you’re boxens are already compromised.

Of particular note from his article is the breadth of exploitable distributions – see the references below for vendor specific information:

This vulnerability was introduced into the Linux kernel in April 2008, and so essentially every distribution is affected, including RHEL, CentOS, Debian, Ubuntu, Parallels Virtuozzo Containers, OpenVZ, CloudLinux, and SuSE, among others. A few vendors have released kernels that fix the vulnerability if you reboot, but other vendors, including Red Hat, are still working on releasing an updated kernel.

After downloading and running the tool under a non-sudo account, you should cheerfully get the following output.

thushan@dingo:~/tmp$ ./diagnose-2010-3081
Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.
(see http://www.ksplice.com/uptrack/cve-2010-3081)

$$$ Kernel release: 2.6.32-23-server
!!! Not a RHEL kernel, will skip LSM method
$$$ Backdoor in LSM (1/3): not available.
$$$ Backdoor in timer_list_fops (2/3): checking...not present.
$$$ Backdoor in IDT (3/3): checking...not present.

Your system is free from the backdoors that would be left in memory by the published exploit for CVE-2010-3081.
thushan@dingo:~/tmp$

If not, its time to put those security drills into action!

References

{lang: 'en-GB'}
Share

Fedora 12 released

November 18th, 2009 No comments

It only feels last last month Fedora 11 was released, alas Fedora 12 is out now. Read about the changes and updates found in Fedora 12 or maybe just view the summary or a full list if your ubber keen.

Amongst the many changes, important ones to forward to (from the release notes):

* Optimized performance - All software packages on 32-bit (x86_32)
  architecture have been compiled for i686 systems, with special
  optimization for the Intel Atom processors used in many netbooks,
  but without losing compatibility with the overwhelming majority of
  CPUs.

* Smaller and faster updates - In Fedora 11, the optional yum-presto
  plugin, developed by Fedora contributor Jonathan Dieter, reduced
  update size by transmitting only the changes in the updated
  packages. Now, the plugin is installed by default. Also, RPMs now
  use XZ rather than gzip for compression, providing smaller package
  sizes without the memory and CPU penalties associated with
  bzip2. This lets us fit more software into each Fedora image, and
  uses less space on mirrors, making their administrators' lives a
  little easier. Thanks to the Fedora infrastructure team for their
  excellent work in setting up the infrastructure to generate delta
  RPMs on the fly for all the updates.

* NetworkManager broadband and other enhancements - NetworkManager,
  originally developed by Red Hat's Dan Williams, was introduced in
  Fedora 7 and has become the de facto network configuration solution
  for distributions everywhere. Enhancements to NetworkManager make
  both system-wide connections and mobile broadband connections easier
  than ever. Bluetooth PAN support offers a simple click through
  process to access the Internet from your mobile
  phone. NetworkManager can now configure always-on and static address
  connections directly from the desktop. PolicyKit integration has
  been added so configuration management can be done via central
  policy where needed. IPv6 support has also been improved.

* Next-generation (Ogg) Theora video - For several years, Theora, the
  open and free format not encumbered by known patents has provided a
  way for freedom-loving users to share video. Fedora 12 includes the
  new Theora 1.1, which achieves very high quality comparable to
  H.264, meeting the expectations of demanding users with crisp,
  vibrant media in both streaming and downloadable form. Thanks to the
  work of the Xiph.Org Foundation's Christopher "Monty" Montgomery,
  sponsored by Red Hat, other Xiph developers and the contribution of
  Mozilla.org, Theora videos now deliver much better quality primarily
  via enhancements in the encoder without any change in the format,
  making it available to all Theora users. Using Theora video and
  Vorbis audio formats, Firefox 3.5 and applications using the
  Gstreamer multimedia framework can deliver free media on the web out
  of the box even better than the previous release of Fedora. Theora
  is being rapidly adopted by several popular websites including
  Wikipedia, VideoPress and DailyMotion. Fedora Project is proud to
  support communities of free culture and open content as part of our
  mission. More details at
  
theora 1.1 is released – what you should know
* Graphics support improvements - Fedora 12 introduces experimental 3D support for AMD Radeon HD 2400 and later graphics cards. To try it out, install the mesa-dri-drivers-experimental package. On many cards, this support should allow desktop effects to be used. Kernel mode setting (KMS) support, which was introduced on AMD hardware in Fedora 10 and extended to Intel hardware in Fedora 11, is now extended to NVIDIA hardware as well, meaning the great majority of systems now benefit from the smooth, fully-graphical startup sequence made possible by KMS. The Fedora graphical startup sequence now works better on systems with multiple monitors. Also on multiple monitor systems, the desktop will now automatically be spread across all monitors by default, rather than having all monitors display the same output, including on NVIDIA chips (where multiple monitor spanning was not possible without manual configuration changes in Fedora 11). Systems with NVIDIA graphics chips also gain initial support for suspend and resume functionality via the default Nouveau driver. Initial support for the new DisplayPort display connector has been added for Intel graphics chips. Support for Nvidia and ATI systems is already under rapid development and will be included in the next release of Fedora. Thanks to the Red Hat Xorg team including Adam Jackson (X server), Kristian Høgsberg (Intel driver), Dave Airlie and Jerome Glisse (Radeon driver for AMD), and Ben Skeggs (Nouveau driver for NVIDIA). * Virtualization improvements - Not content with all the improvements in Fedora 11, we've kicked virtualization based on KVM up another notch in Fedora 12. There are extensive improvements in performance, management, and resource sharing, and still more security enhancements. A new library (libguestfs) and an interactive tool (guestfish) are now available for directly accessing and modifying virtual machine disk images. Richard W.M. Jones from Red Hat's virtualization team has a list of extensive virtualization tools available and coming up for Fedora at Fedora virt-* commands * Automatic reporting of crashes and SELinux issues - Abrt, a tool to help non-power users report crashes to Bugzilla with a few mouse clicks, is now enabled by default. Abrt collects detailed information automatically and helps developers identify and resolve issues faster, improving the quality of individual upstream components and Fedora. The SELinux alert monitoring tool has also added the ability to report SELinux issues to Bugzilla quickly and easily with just a couple of clicks. * New Dracut initrd generation tool - Up until Fedora 11, the boot system (initial ram disk or initrd) used to boot Fedora was monolithic, very distribution specific, and didn't provide much flexibility. This has been replaced with Dracut, an initial ram disk generation tool with an event-based framework designed to be distribution-independent. Dracut has been also adopted by OLPC which uses Fedora; OLPC modules for Dracut are available in the Fedora repository. Thanks to the Dracut team, including Harald Hoyer, Jeremy Katz, Dave Jones, and many others. * PackageKit plugins - PackageKit now has a plugin which can install an appropriate package when a user tries to run a command from a missing package. Another new plugin allows installation of software packages from a web browser. Thanks to Red Hat's Richard Hughes and the PackageKit team. * Bluetooth on-demand - Bluetooth services are automatically started when needed and stopped 30 seconds after last device use, reducing initial startup time and resource use when Bluetooth is not in active use. Thanks to Red Hat's Bastien Nocera. * Moblin graphical interface for netbooks - In additional to special compiler optimization for netbooks in this release and the continued integration of Sugar interface, the Moblin graphical interface and applications are fully integrated thanks to Peter Robinson, a Fedora Project volunteer, and others. Collaboration between the Moblin project and Fedora was accelerated since Moblin itself is largely based on Fedora. To use it, just install the Moblin Desktop Environment package group using yum or the graphical software management tools, and choose Moblin from the login manager. A Moblin Fedora Remix (installable Live CD) for Fedora 12 will also be available. * PulseAudio enhancements - Red Hat's Lennart Poettering and several others have made significant improvements to the PulseAudio system. Improved mixer logic makes volume control more fine-grained and reliable. Integration with the Rygel UPnP media server means you can stream audio directly from your system to any UPnP / DLNA client, such as a Playstation 3. Hotplug support has been made more intelligent, so if you configure a device as the default output for a stream, unplug that device -- causing the stream(s) to be moved to another output device -- and later reattach it, the stream is moved back to the preferred device. Finally, Bluetooth audio support means pairing with any Bluetooth audio device makes it available for use through PulseAudio. * Lower process privileges - In order to mitigate the impact of security vulnerabilities, permissions have been hardened for many files and system directories. Also, process privileges have been lowered for a number of core components that require super user privileges. Red Hat's Steve Grubb has developed a new library, libcap-ng, and integrated it into many core system components to improve the security of Fedora. * SELinux sandbox - It is now possible to confine applications' access to the system and run them in a secure sandbox that takes advantage of the sophisticated capabilities of SELinux. Dan Walsh, SELinux developer at Red Hat, explains the details at http://danwalsh.livejournal.com/31146.html * Open Broadcom firmware - The openfwwf open source Broadcom firmware is included by default. This means wireless networking will be available out of the box on some Broadcom chipsets. * Hybrid live images - The Live images provided in this release can be directly imaged onto a USB stick using dd (or any equivalent tool) to create bootable Live USB keys. The Fedora Live USB Creator for Windows and Fedora and the livecd-tools for Fedora are still recommended for data persistence, encryption and non-destructive writes. Thanks to Jeremy Katz. * Better webcam support - While Fedora 11 improved webcam support, in Fedora 12 you can expect even better video quality, especially for less expensive webcams. Red Hat's Hans de Goede, developer of the libv4l library, has more details on his continuous upstream webcam support enhancements at http://hansdegoede.livejournal.com/6989.html. * Polished Desktop - The latest version of the GNOME desktop includes the lighter Gnote replacement for Tomboy as the default note application, and Empathy replaces Pidgin as the default instant messenger. The new volume control application, first seen in Fedora 11, has been improved to cover more advanced users. There are many nice tweaks from the desktop team for a polished user experience. More details at http://fedoraproject.org/wiki/Desktop_Enhancements_in_Fed... * GNOME Shell preview - Fedora 12 includes an early version of GNOME Shell, which will become the default interface for GNOME 3.0 and beyond. To try it, install the gnome-shell package, and use the Desktop Effects configuration tool to enable it. It will only work correctly from the GNOME desktop environment, not others such as KDE or Xfce. This is a preview technology, and some video cards may not be supported. Thanks to Owen Taylor from Red Hat and the GNOME Shell team. * KDE 4.3 - The new KDE features an updated "Air" theme and fully configurable keyboard shortcuts in Plasma, improved performance and new desktop effects in the window manager, a new bug reporting tool, and a configuration tool for the LIRC infra-red remote control system. * Cool new stuff for developers beginning with Eclipse Galileo, which includes more plugins than ever before. Perl 6 is now included, along with PHP 5.3. For Haskell developers, the Haskell Platform now provides a standardized set of libraries and tools. But one of the biggest changes for developers is that most of the nice new features of Fedora 12, from Bluetooth to webcams, are implemented through underlying libraries, and many of the improvements will be included simply by relinking your application. Also available in this release are SystemTap 1.0 for improved instrumenting and debugging of binaries, complete with Eclipse integration, and the newest NetBeans IDE for Java development. * Cool new stuff for sysadmins include added functionality for clustered Samba services (including active/active configurations) over GFS2; and the ability to boot a cluster of Fedora systems from a single, shared root file system. * Multi-Pointer X - The update to X.Org server 1.7 introduces the X Input Extension version 2.0 (XI2), with much work contributed by Red Hat's Peter Hutterer. This extension provides a new client API for handling input devices and also Multi-Pointer X (MPX) functionality. MPX functionality allows X to cope with many inputs of arbitrary types simultaneously, a prerequisite for (among others) multitouch-based desktops and multi-user interaction on a single screen. This is low-level work of which applications and desktop environments will incrementally take advantage in future releases. More details are available in the Release Notes and in the XI2 tag of Peter Hutterer's blog at http://who-t.blogspot.com/search/label/xi2

Download them from Fedora or if your a local:

I’m torn between using the latest Ubuntu or Fedora on the client.

{lang: 'en-GB'}
Share

CentOS 5.4 Released!

October 23rd, 2009 No comments

CentOS 5.4 has been released! Woo yeah, its been a while since RHEL 5.4 has been out but checkout the release notes for a list of changes.

Download mirrors are being updated but if your local, here are a couple of Australian Mirrors.

CentOS 5.4 x86

CentOS 5.4 x64

I just did a inplace 5.3->5.4 upgrade with a yum update. With a localised mirror, blindingly fast too!

{lang: 'en-GB'}
Share

Redhat 5.4 released, CentOS 5.4 is coming soon!

September 3rd, 2009 No comments

If you haven’t heard already, Redhat has released the eagerly anticipated 5.4 release of Redhat Enterprise Linux at their Redhat Summit in Chicago. As expected, Redhat looks to have moved from using Xen as their favoured virtualisation hypervisor to using KVM (which is an integral part of the Linux Kernel). All this will eventually go into RHEV.

All the changes in this release are documented in the  Release Notes, unfortunately Ext4 is still not considered usable in this release (they’re targetting for RHEL6 possibly).

So what of the RHEL clone CentOS? Possibly a 2-4 week delay it seems. WOO! In the meantime, upgrading from 5.3 is easy peasy.

{lang: 'en-GB'}
Share

Mounting and activating LVM Volumes from BootCD to recover data in linux

September 2nd, 2009 3 comments

I’ve been working heavily with Red Hat Enterprise Linux (and subsequently CentOS) the past few months (shh! dont tell my MSFT homey!) and one of the great things about CentOS and RHEL is that they both install using LVM – which is a helluvah lot easier when time passes and you realise your running out of space on a drive.

But today I had to recover some data from an LVM partition and copy over some bits to another partition without actually booting the CentOS install (it was bj0rked by yours truely!). What to do? Throw in a Ubuntu LiveCD (or another) and just mount the partitions 🙂

First thing we need to do is install LVM – remember we need to be sudo for these to work.

$ aptitude install lvm2

Then scan for any available physical volumes on any of the drives.

$ pvscan

Scan for any Volume Groups that may be present.

$ vgscan

Now activate any of the Volume Groups that it finds, running this makes the logical volumes known to the kernel.

$ vgchange –available y

Then let it scan for any Logical Volumes on any drives

$ lvscan

After running the logical volume scan it will show the path to the LVM mount path, for my boxen it gives something like this

ACTIVE            ‘/dev/LVM/Data‘ [5.26 TB] inherit

You simply mount the path specified and browse like normally 🙂

$ mount /dev/LVM/Data /mnt

Enjoy.

{lang: 'en-GB'}
Share

THIS IS FEDORA: Fedora 11 Released

June 9th, 2009 No comments

This is FEDORA.

Fedora 11 aka Leonidas has been released. Whilst the front page is yet to be updated the mirrors are being updated as I write and ISO’s are being propogated.

Download ISO:

In Australia? Try the local mirrors:

Bit of a torrenter? See the Torrent Tracker page.

Approximate sizes (from internode):

Fedora-11-i686-Live.iso             688M
Fedora-11-i686-Live-KDE.iso         686M
Fedora-11-x86_64-Live.iso           691M
Fedora-11-x86_64-Live-KDE.iso       693M

See the Fedora 11 Release Notes for more information about changes in this release, the Fedora 11 feature list or the Unoffficial Fedora 11 Guide.

I’ve been awaiting this release primarily for the Linux Kernel v2.6.29 (in comparison to Jaunty‘s Kernel 2.6.28) which brings a slew of updates to the table – in particular KMS (Kernel mode setting – flicker free graphics), the inclusion of Btrfs in the kernel for preliminary testing and better memory mangement. Ofcourse Fedora 11 ships with X.org 1.6 as well. With the inclusion of GCC 4.4 all packages are now compiled with gcc4.4 too.

I’ve only dabbled in Fedora 10, but I think its a worthy move from my primarily Ubuntu lifestyle.

Whats really interesting though, is that Ubuntu 9.10 seems to have a decent performance bump, so whilst the wait for Fedora 11 is over, its time to get excited about the snappier the Karmic Koala.

{lang: 'en-GB'}
Share

Booting CentOS 5.3 on ASUS P5WDH Deluxe

May 12th, 2009 No comments

As my journey to find the perfect setup for the new Zeus continues, I thought I’d try out CentOS 5.3. One of the many benefits of running on an open-setup, lots of HDDs, lots of room to move around, not much time though 🙁

If you find you get stuck during the installation for CentOS (and subsequently RHEL & Fedora) heres how to get things to boot.

In the BIOS:

Power

  • Suspend Mode [Auto]
  • ACPI 2.0 Support [No]
  • ACPI APIC Support [Disabled] *uhoh*

Then when you boot, press {F4} to get the kernel options, and at the end append:

$ boot: linux irqpoll

This will hopefully boot the installer for you.

No need to do all that, see the updated post which is simpler and less hassles.

{lang: 'en-GB'}
Share