Mageia Identity Security Breach

A user was able to gain access to our LDAP database and has published the email addresses and names, as well as apparent password hashes, of anyone who has signed up to identity.mageia.org. However, the published hashes do not match those on record, and all capitalisation has been removed, so it is not clear that the actual passwords have been compromised. All of the passwords have since been reset as a security precaution. New rules have been added to prevent access to the LDAP server. The sysadmins are investigating how the fields were read, as the configuration should have specifically prevented this.

The passwords stored by the Mageia LDAP server are hashed and salted, meaning that the full decryption of the password, if they have actually been leaked, into a human-usable format would require significant computing power for safe and complex passwords. Despite the leaked data only appearing to be names and email addresses of identity.mageia.org users, we strongly urge users to be cautious if the password used for their Mageia account is used elsewhere, and we recommend changing passwords wherever else it is used.

To regain access to your Mageia account, the reset password link should be sufficient for all users without git access.The reset password link can be obtained by asking for a password reset on https://identity.mageia.org/forgot_password after which you’ll receive a mail with the link.

For privileged users, a sysadmin should be contacted to regain access.

We sincerely apologise for any problems and inconvenience that this might cause.

Spectre-Meltdown mitigation update

This update comes to us courtesy of tmb, our kernel magician:

Since we released 4.14.18 yesterday, we now are in pretty good shape with the mitigations, especially on x86_64. We now have bits in place for Spectre v1, v2 and Meltdown.

Of course over the coming weeks/months there will be more follow-up fixes upstream to cover corner cases, missed fixes and improvements for all of this…

And we still need Intel and AMD to release microcodes so hardware vendors can release updated BIOS/EFI firmwares and to the public so we can provide microcode updates in case of vendors not providing new BIOS/EFI firmwares.

Oh, and for those that like to check 🙂 The official way of checking the kernel status is:

grep . /sys/devices/system/cpu/vulnerabilities/*

We still lack meltdown support for 32bit in mga6, but we have now (Feb 9th) merged the upstream suggested patches for it in Cauldron, so a kernel with those patches will land in testing later today along with an update to 4.14.19

It still lacks some performance related bits, but we are getting there.

Many thanks to tmb for taking the time to bring us this update!

 

Edit: we corrected the grep command due to the helpful comments.

Fosdem 2018 – and a very little roundup

Before we get to FOSDEM, an important update came through in the last few hours – this follows tmb’s explanation from the last roundup:

MGASA-2018-0125 – Updated kernel packages fix security vulnerabilities

Publication date: 11 Feb 2018
URL: https://advisories.mageia.org/MGASA-2018-0125.html
Type: security
CVE: CVE-2017-5715, CVE-2017-5753
Description:

This kernel update is based on the upstream 4.14.18 and and adds some support for mitigating  Spectre, variant 1 (CVE-2017-5753) and as it is built with the retpoline-aware gcc-5.5.0-1.mga6, it now provides full retpoline mitigation for Spectre, variant 2 (CVE-2017-5715). WireGuard has been updated to 0.0.20180202. This update also fixes the rtl8812au driver that got broken/missing in the upgrade to 4.14 series kernels (mga#22524). For other fixes in this update, read the referenced changelogs.

Many thanks to tmb and the other devs for all their work on this!

We’ll be back with a more complete roundup next week; now to FOSDEM, from one who has been there every year…

Mageia at FOSDEM 2018

Since Mageia was born, FOSDEM has been a very important event for us. Six times we had a booth and our General Assembly during the event, we’ve always had a Mageia dinner and there were always more ways to enjoy meeting one another.

This blog post was almost not written, though, because until less than a week before FOSDEM, it was only sure of one council member, akien, that he’d be there. However, he’d mainly be there for another really nice project, the Godot Engine. Apart from that, our application for a stand was turned down (again).

Six days before FOSDEM, names started to get added to our FOSDEM 2018 Wiki page. One day later, it became certain that ennael would be at FOSDEM and on Wednesday, the number of council members who’d go increased from 2 to 4. It was only after that, that we tried to find volunteers to help organise various ways to meet one another in Brussels.

We do regret that – we’re aware that likely more Mageians would have been there, had things been organised better and earlier!

Informal Non-GA meeting

In the end, there were at least 14 Mageia community members at FOSDEM. We didn’t all manage to meet one another, but most of us were at an informal non-GA meeting (the General Assembly is expected to be done on-line with Mumble later on, so that more council/board/association members can participate).

Most of the things said during the informal meeting will be repeated during the GA, apart from karine stepping forward as new contributor (she’ll be an existing contributor when we have the GA 😉 ) and from a remark that tmb made after ennael told us about the large number of contributors with health problems that we have. He said something like “Mageia, the distribution for people with health issues”. We all laughed, but there’s a lot of truth in that remark: contributors with health issues have always been just as welcome in Mageia as contributors in perfect health.

Mageia wouldn’t exist if it had been created by healthy people only (nor when it had been created by ill people only, of course 😉 ). Anyway, if you’d like to contribute but worry whether you’re healthy enough to be accepted: stop worrying, your contribution is just as welcome as anyone else’s. There’s no minimum amount of work a contributor should do, so find a team or a task and just contribute when you feel up to it 🙂

Mageia dinner on Saturday

Without having made a reservation, and after a good walk along many restaurants, looking for one with enough room for us, eight of us had a nice dinner in a halal restaurant, a “first time” for most or all of us. It has become a tradition to go to another place after the restaurant, to enjoy a waffle . It might not be the best tradition, though, given how much some bellies are growing.

Mageia beer event (lunch) on Sunday

During the non-GA meeting, akien proposed what might become a new tradition: meet around lunch time next day for a beer together. For some it was more lunch than beer, but in any case it was nice to have another opportunity to get together, because without a Mageia stand, there is no natural place to meet.

FOSDEM itself

It seems every year FOSDEM gets more crowded, and more and more often talks attract a lot more interested visitors than fit in the room. I didn’t manage to see ovitters, who was on the GNOME stand – it was so busy I couldn’t get near.

One of the Mageians attending found FOSDEM very difficult:  “Because of the huge amount of people I missed important speaks I wanted to attend as you had to crash and disturb the previous talk to have any chance what so ever to attend until the room was “closed”. While in a room the audio quality in the PA system was so bad I couldn’t hear anything. Because of these issues I will never go there again. I’m very disappointed and frustrated I wasted time on this. This was aimed at FOSDEM so they get criticism, the fact I enjoyed meeting you and other folks is irrelevant.”

Many talks are available as videos here: https://video.fosdem.org/2018/ and here https://www.youtube.com/user/fosdemtalks/videos.

Future Mageia meetings

Because FOSDEM is so crowded, meaning we couldn’t get access to a room or have a stand, it was kind of difficult for Mageians to get together. Maybe we need to consider some other venue to meet – at a less crowded and better-organised conference, or even outside a conference? Your input is very important here – please comment below, or raise your voice in the Forums or on the mailing lists.

Thanks to Marja for writing this up! W’d hoped to include some pics, but the Mageians who took them have gone all shy – maybe next week…

Weekly Roundup 2018 – Week 5

The flood of updates has slowed a little this week:

sox (Mga 5, 6); java-1.8.0-openjdk (Mga 5,6); rsyncMga 5,6; gdk-pixbuf2.0 (Mga5) – as always, check Mageia Advisories for details. Along with the 409 updates that have gone into Cauldron, there’s been plenty happening!

Behind the scenes, work is still happening on the panel applet update mechanism, on further Meltdown/Spectra mitigation, and on the possible Mageia 6.1 release, so the devs and QA folks we all rely on are still very busy indeed. As always, you can check for yourself on Mageia Advisories, the Mageia AppDB, PkgSubmit to see the last 48 hours, and Bugzilla to see what’s currently happening. 

And almost daily, new and updated translations go up; hearty thanks to our translation team, who make Mageia so friendly to users around the world!

Interim info on Meltdown/Spectra mitigation

From tmb, our extremely busy kernel guru for whom we give thanks daily:

If you’re using

grep cpu_insecure /proc/cpuinfo && echo "patched" || echo "unpatched"

and you get

unpatched

don’t worry – this is an invalid check. Official Linux source does not have any “cpu_insecure” flag.

If you are using   

   cat /proc/cpuinfo | grep bugs

and you get 

bugs            : cpu_meltdown
bugs            : cpu_meltdown
bugs            : cpu_meltdown
bugs            : cpu_meltdown

This tells you that you have a CPU that is affected by meltdown and needs to be protected by KPTI. The only way you can get rid of that flag is to buy new hardware. That means according to Intel their new silicon that should become a new CPU by the end of 2018; for AMD and Spectre issues, it means buying a Zen2 based CPU, that is supposed to be out sometime in 2018.

If you have used https://github.com/speed47/spectre-meltdown-checker and the result is “not OK”:

That’s expected. Because:

1. Spectre variant 1 is hard to fix and also more difficult to abuse – it really needs microcode updates, and Intel botched that. According to Lenovo there should be a fix out around February 9th. AMD officially will only ship their microcode update to hardware vendors so it depends on when they will release updated bioses  or we can get the microcode through some other means. There is some code to mitigate here too, but afaik its not upstream yet.

2. Spectre variant 2 also really needs new microcode, and the IBRR/IBPB/… Kernel code mitigations have only started landing in upstream last week, and still need to be backported to the 4.14 longterm branch. And we have the alternative mitigation with minimal retpoline queued in https://bugs.mageia.org/show_bug.cgi?id=22454 (I plan to push this one later today as soon as I have written the advisories). For full retpoline we need compiler support, something I got patches for during Fosdem, and it’s now patched in gcc 5.5.0 in testing, so the next kernel will have full retpoline.

3. Meltdown has been mitigated since 4.14.13 was released in http://advisories.mageia.org/MGASA-2018-0076.html

NOTE. the Kernel Page Table Isolation mitigation is so far only for x86_64, but some suggested patches have been posted as RFC for i586, and should hopefully land soon-ish upstream and get backported. But then again, meltdown is not as easy on 32bit as it already has the 3G/1G memory split causing other complications.

Now I know some/many distros have “panic patched” stuff with earlier revisions of the fixes, but for example Redhat has afaik backed out of some of the spectre mitigations as it caused more problems than it fixed, so I have chosen to rely on somewhat tested code actually getting accepted and landing upstream.

That’s is where we are at the moment. If upstream keeps current pace we should hopefully have all the bits in place within ~1 week…

Thank you tmb!

In other news:

 The LQ Members Choice Awards polls are on right now. You may want to register and vote for Mageia being your distro of choice to add a little marketing “buzz” to our favourite distro. You can find the polls here: 

https://www.linuxquestions.org/questions/2017-linuxquestions-org-members-choice-awards-126/

If you are not a member of the LinuxQuestions.org group, you just have to register and then post one reply on their site. This then allows you to vote on various Linux poll items. Pass the word along to other Mageia supporters and make your voice count!

Weekly Roundup 2018 – Weeks 3 & 4

Apologies are due for the missing Roundup for Week 3; while the northern hemisphere has been freezing, down here in the south we have been boiling. Alas, all that heat doesn’t help with concentration! So, this is an aggregated Roundup.

FOSDEM

February is FOSDEM month – will you be in Brussels? Even when, as this year, we don’t have a stand, Mageians love to get together at FOSDEM. Check out the Wiki Page for this event, and let people know you’re coming so meetings and the Mageia Dinner can be arranged.

Some news

We were informed that mirror.math.princeton.edu will be down and physically relocated beginning 09:00 on Thursday, February 1. It is expected to be back online by noon that day. Note that their time zone is UTC -5, US Eastern Standard Time.

Updates – Mageia 5 and 6

We’re still, like Zeno and his tortoise, not quite ready to completely finish adding updates to Mageia 5 – there are still a few of the Meltdown and Spectra-related security fixes in the pipeline. We’ll add a separate blog post for the event to keep you informed. Recent security updates to Mageia 5 include nspr, rootcerts, nss, firefox, firefox-l10n, glibc, bind, squid and gdk-pixbuf2.0. Check Mageia Advisories for more details, and note that there are no bugfix updates for Mga5.

An update to the tray applet to upgrade from Mageia 5 to Mageia 6 is in QA testing; watch out for updates to this important utility. We hope it will smooth the path from 5 to 6 for those of you who want to do the version upgrade rather than a clean install.

For Mageia 6, the security update list is even longer – webkit2, kmod-vboxadditions, kmod-virtualbox, virtualbox, graphicsmagick, nspr, rootcerts, nss, firefox, firefox-l10n, glibc, locales, systemd, bind, unbound, golang, mariadb, gdk-pixbuf2.0, gifsicle and squid. Bufix updates include joe , mpv, radeon-firmware, ldetect-lst, libdrm, mesa, wayland-protocols, x11-driver-video-amdgpu, x11-driver-video-ati, x11-driver-video-intel, subtitlecomposer, nvidia340, smtube, smplayer, cargo and rust.

Cauldron

In the two weeks since the last Roundup, a staggering 939 package updates have come through into Cauldron! Maybe the devs are working so hard to keep warm? Thanks to them all, and to the QA/testing and translation folks for their amazing work.

As always, you can check for yourself on Mageia Advisories, the Mageia AppDB, PkgSubmit to see the last 48 hours, and Bugzilla to see what’s currently happening.

Wiki updates

There’s also been lots of work happening on the Wiki, with updates and additions; check out the Recent Changes page, where you can also subscribe to the Atom feed to receive email alerts when changes are made.

Weekly Roundup 2018 – Week 2

The year is definitely under way, with an astonishing 412 packages coming through commits – mostly for cauldron, but a few are the last remaining updates for Mageia 5, as well as important security updates for Mageia 6.

Among those updates are all the kernel and microcode updates – our thanks to tmb and our untiring devs for these – to begin hitting Meltdown and Spectre on the head.

A big hand for the upstream kernel team, as well as our own packagers, QA testers and everyone else that was involved in getting this tested and released.

The best place to check these updates out fully is the Mageia Advisories page:

Screenshot of Mageia Advisories page

The Mageia Advisories page is full of information! Clicking on the Advisory number (second column) will take you to the full advisory; so, clicking on MGASA-2018-0076, the advisory for the most recent kernel updates to Mageia 6, takes you to an explanation of what is covered in the fix, plus references for further reading.

Screenshot of Advisory MGASA 2018-0076

If you’re more interested in the original security announcement, the list of CVEs in the right-hand column is also filled with links; clicking on any one of those links will take you to the information for that CVE. If, like CVE 2017-5715, it covers a number of fixes in Mageia, you will arrive at an interim page where all the updates covering that advisory are aggregated, looking like this:

Screenshot of Advisories aggregation

On the aggregated page, clicking on the part of the heading containing the advisory number

Screenshot of advisories heading

will take you to the CVE announcement.

You can keep up with all the other goings-on in Mageia on IRC or the Forums, as well as all the mailing lists – they’re all very active and welcoming places, so please join in!

Weekly Roundup 2018 – Week 1

In the spirit of a new year, Mageians have been very busy.

Meltdown and Spectre mitigation

meltdown and spectre logos

If you’ve been anywhere near a news channel in the last few days, you’ll have heard of these two CPU flaws – there’s an overview at arstechnica for those who haven’t seen it yet. It’s important to note that not only Intel CPUs are vulnerable!

Mageia kernel updates to mitigate these two flaws are already being worked on. Mageia 6 kernel updates released in the last 24 hours don’t as yet solve all the problems, but kernel-4.14.12-2.mga6 is in updates/testing (as is the .mga7 kernel for Cauldron). Expect updates very shortly. Our thanks to our tireless kernel devs and our ever busy QA team!

Mageia 5 is at end of life, people – to avoid issues with Meltdown and Spectre, it’s time to update to Mageia 6. Before you begin, please read “Upgrading from Mageia 5” and the associated links. That said, we have decided to apply specific updates to the kernel and to Firefox, just to deal with the Spectre and Meltdown vulnerabilities. Subsequent updates of the kernel to minimise the performance impact of the security updates will not be applied in Mageia 5, similar for other security fixes. So you have a little time to prepare to upgrade, but do get on it!

While all that has been going on, there has been a constant stream of updates into Cauldron, updates for Mageia 6 and the last few for Mageia 5, and plenty of packages going into testing. Check out the usual suspects: Mageia Advisories, the Mageia AppDBPkgSubmit to see the last 48 hours, and Bugzilla.

Have a great week!

Discussing the future of Cantor

Hello devs! Happy new year!

It is common to use the new year date to start new projects or give new directions for old ones. The last one is the case for Cantor.

Since when I got the maintainer status for Cantor, I was working to improve the community around the software. Because the great plugins systems of Qt, it is easy to write new backends for Cantor, and in fact in last years Cantor reached the number of 11 backends.

If in a hand it is a nice thing because Cantor can run different mathematical engines, in other hand it is very common developers create backends, release them with Cantor upstream, and forget this piece of software after some months. The consequence of this is a lot of unsolved bugs in Bugzilla, unexpected behaviours of some backends, and more.

For instance, R backend is broken from some years right now (thanks Rishabh it was fixed during his GSoC/KDE Edu Sprint 2017 but not released yet). Sage backend breaks for each new release of Sage.

Different backends use different technologies. Scilab and Octave backends use QProcess + Standard Streams; Python 2 uses Python/C API; Python 3, R, and Julia use D-Bus.

In addition to these, remember each programming language used as mathematical engine for Cantor has their respective release schedule and it is very common new versions break the way as backends are implemented.

So, yes, the mainternhip of Cantor is a hell.

In order to remedy it I invited developers to be co-maintainer of these respective backends, but it does not have the effect I was suposed to. I implemented a way to present the versions of programming languages supported in the backend but it does not work well too.

So, my main work in Cantor during these years was try to solve bugs of backends I don’t use and, sometimes, I don’t know how they work, while new features were impossible to be planned and implemented.

If we give a look to Jupyter, the main software for notebook-based mathematical computation, it is possible to see this software supports several programming languages. But, in fact, this support is provide by the community – Jupyter focus effort in Python support only (named the ipython kernel) and in new features for Jupyter itself.

So, I would like to hear the KDE and Cantor community about the future of Cantor. My proposal is split the code of the others backends and put them as third-party plugins, maintained by their respective community. Only the Python 3 backend would be “officially” maintaned and delivered in KDE Applications bundle.

This way I could focus in provide new features and I could to say “well, this bug with X backend must be reported to the X backend community because they are accountable for this piece of software”.

So, what do you think about?

Weekly roundup 2017, Week 52

From the last hours of 2017: Happy 2018!

Warm good wishes for a happy, successful and peaceful New Year to all Mageians everywhere.

This last week of 2017, there have been loads of updates – check out the usual links to see where we’re at: Mageia Advisories, the Mageia AppDBPkgSubmit to see the last 48 hours, and Bugzilla.

Although Mageia 5 is scheduled to reach the end of support on the last day of 2017, due to an unexpected surge in last minute updates being submitted for testing by the qa team, it may be several days into the new year before updates for Mageia 5 stop becoming available.

I don’t believe any of the devs or QA folk have taken any time off since the last roundup, there has been such a lot coming through! Our heartfelt thanks to them, who keep our distro such a magical thing.

What a year 2017 has been!

In January, as well as working up to the second stabilisation snapshot of Mageia 6, we were preparing for FOSDEM, where ennael and stormi presented the talk Mageia, successes and lessons learned 6 years after forking. If you weren’t lucky enough to be in Brussels to meet up with other Mageians and hear the talk, you can still pick it up from the FOSDEM archive; the video is here.

February saw the first of these Weekly Roundup posts, so that we could all see a snapshot of what’s happening behind the scenes. Our Atelier leader schultz has been tireless all through the year in bringing these to us; I hope to live up to the standards he’s set! We also saw the FOSDEM report, with a brilliant couple of meetings; and we took stock of the progress on the way to Mageia 6, which by that time was very late!

March saw us make a donation to Framasoft, where our pads are hosted – we’re thankful for their service several times a month, so it was time to reciprocate. We attended Chemnitzer Linuxtag and were preparing to attend JDLL – see the March blog posts to read the reports. And the RC ISOs for Mageia 6 were in testing…

April was a bit mixed – we shut down a couple of servers and the web services were offline for a bit, but the Classical ISOs for Mageia 6 were almost ready! We did get all our servers upgraded to Mageia 5, and that made everything more secure for everyone.

May: the Mageia 6 RC is released! Oh my, the work that was behind that tiny sentence. In June, we went into release freeze, and at the end of the month the message went out: “Nobody touch anything!”

And in mid-July, it finally happened: Mageia 6 was released. What a huge work that was – so many packages with enormous version upgrades, so much work from the developers and testers to get it all to play nice. And, isn’t it lovely? great new artwork and lots of new packages to play with. Then, in August, we went a little bit quiet, because everyone needed a rest!

From September until now, the developers, testers and QA folks have been working on two fronts; sorting out any issues with Mageia 6 packages, and setting the frameworks for Mageia 7. Documenters and translators have been busy, especially with updating the wiki – check it out!

We’re approaching the time where Mageia 5 will come to the end of its life, and looking forward to the new release – just like with the calendar, where we’re looking back over the past year even as we embark on the new year.

Happy Mageia New Year!

Weekly roundup 2017 – Week 51

So, it’s Week 51, so of course it’s the festive holiday season! We wish all Mageians everywhere the very best of all things for the holidays, whichever way you celebrate them.

We’ll get to the new year in next week’s roundup!

In the last week, the developers and the Q&A folks have been sending through a steady stream of updates. Wow, they’ve worked hard. As always, you can check Mageia Advisories  and the Mageia AppDB  to get a notion of what they’ve been up to; and PkgSubmit  to see the last 48 hours.

Another interesting way to keep track of what’s happening is Bugzilla. On the Home page you’ll find some links at the bottom left, so you can look at recent bugs and changes – the last day or the last 7 days:

There are also RSS feeds, if you like that kind of thing.

One thing that’s still happening is that distrib-coffee is still out of service; the festive season might have something to do with that. Check out the Infrastructure bug here.

Again, warm good wishes from all at Mageia to all Mageians, all over the world.