Systemd Vulnerable to DNS Attacks

Systemd, the Linux world’s favorite init monolith, can be potentially crashed or hijacked by malicious DNS servers. Patches are available to address the security flaw, and should be installed ASAP if you’re affected.
Continue reading Systemd Vulnerable to DNS Attacks

Advertisements

grub-pc (2.02~beta2-36ubuntu3.10)

I’m running an Ubuntu server and the other day while running updates I started getting the following error:

Setting up grub-pc (2.02~beta2-36ubuntu3.10) ...
/var/lib/dpkg/info/grub-pc.postinst: line 703: syntax error near unexpected token `fi'
dpkg: error processing package grub-pc (--configure):
 subprocess installed post-installation script returned error exit status 2
Errors were encountered while processing:
 grub-pc
E: Sub-process /usr/bin/dpkg returned an error code (1)

Opening /var/lib/dpkg/info/grub-pc.postinst I found:

        if dpkg --compare-versions "$2" lt-nl 2.02~beta2-36ubuntu3.10 then
          if [ -e "/boot/efi/EFI/${bootloader_id}/fbx64.efi" ]; then
            rm -f "/boot/efi/EFI/${bootloader_id}/fbx64.efi";
          fi
        fi

There was a missing semicolon in the first line and that’s what was breaking my update. I updated it and the error went away:

        if dpkg --compare-versions "$2" lt-nl 2.02~beta2-36ubuntu3.10; then
          if [ -e "/boot/efi/EFI/${bootloader_id}/fbx64.efi" ]; then
            rm -f "/boot/efi/EFI/${bootloader_id}/fbx64.efi";
          fi
        fi

Linux Kernel Zero Day Vulnerability CVE-2016-0728

This vulnerability has existed since 2012 and it affects Android and Linux systems running Linux Kernel version 3.8+, and Linux server or desktop running kernel 3.8+ is vulnerable.

As of the date of disclosure, this vulnerability has implications for approximately tens of millions of Linux PCs and servers, and 66 percent of all Android devices (phones/tablets).

How do I fix this?

First some background on what the CVE-2016-0728 bug is. From the Perception Point Research Team

CVE-2016-0728 is caused by a reference leak in the keyrings facility. Before we dive into the details, let’s cover some background required to understand the bug. It can successfully escalates privileges from a local user to root.

Continue reading Linux Kernel Zero Day Vulnerability CVE-2016-0728

Configure WiFi on an Ubuntu Server

Ok, I know you’re wondering why I would ever want to setup WiFi on a server. Well, this was a small server to do some light work and I had a mini pc that had a builtin WiFi card that I used and since it had the option I figured I’d use the convenience rather than having to run another cable.

Continue reading Configure WiFi on an Ubuntu Server

Ubuntu and Debian End-of-Life Timeline

Ubuntu

Standard Ubuntu releases are supported for 9 months and Ubuntu LTS (Long Term Support) releases are supported for five years on both the desktop and the server. During that time, there will be security fixes and other critical updates.
Continue reading Ubuntu and Debian End-of-Life Timeline

My gripe with Debian

I wanted to test the new Debian release to see what was new in that sphere, so I got it setup on my machine.

Few things ticked me off right from the start…

One and the main one being that my Intel WiFi card was not picked up.. And yes, I get that Debian has their special rules (Debian Free Software Guidelines) and all but how do you provide a desktop environment where people will want to run it on a laptop without allowing for WiFi drivers. And yes, I know too that it’s easy to get it working but these are things that should work out of the box and not to mention that unless you are familiar with Linux you will not want to get into that process.

I do not recommend Debian as an entry Linux alternative for several reason, main ones being that there are lots of things missing because of their restrictions on what they include by default and all the extra configs that need to be done depending on what machines you run it on.

It does not make it easy on them either that they provide all the extras in their non-free sources that should be enabled by default if you ask me. Continue reading My gripe with Debian

Good Bye CrunchBang

I haven’t been online blog wise for a bit with work and school, I come back today and what do I see? A farewell not from my favorite Linux Flavor, CrunchBang (#!), a sad day in Linux History. I have been using Linux since Debian 4.0 and Ubuntu 6.06 and have not found a flavor as clean, robust and stable as #!. It was the last OS I’ve been using and now I have to venture out to find a new one.

Here’s excerpts from the goodbye message:

When I first started working on CrunchBang, the Linux landscape was a very different place and whilst I honestly didn’t know if there was any value to it, I knew there was a place for CrunchBang on my own systems. As it turned out, there seemed to be quite a demand for it on other people’s systems too. I’m not entirely sure why this was the case, but if I had to guess, I would say that it was probably due to the lack of competition/alternatives of the same ilk. If I’m remembering correctly, at the time, there was no LXDE tasksel in Debian and certainly no Lubuntu around. CrunchBang filled a gap and that was nifty.

So, what’s changed?

For anyone who has been involved with Linux for the past ten years or so, I’m sure they’ll agree that things have moved on. Whilst some things have stayed exactly the same, others have changed beyond all recognition. It’s called progress, and for the most part, progress is a good thing. That said, when progress happens, some things get left behind, and for me, CrunchBang is something that I need to leave behind. I’m leaving it behind because I honestly believe that it no longer holds any value, and whilst I could hold on to it for sentimental reasons, I don’t believe that would be in the best interest of its users, who would benefit from using vanilla Debian.

As too many have been saying in their thank you – farewell notes, I too want to tip my hat off to Philip Newborough for putting together this awesome flavor for us and for the work he put into it over the years. Too many developers go by as unsung heroes until they decide to stop and then the fanfare pours out. Sadly I started my journey with CrunchBang a bit on the really later side (late 2014 to be precise) tho I did find a base config for Conky from them; but I never got around to providing assistance and I feel guilty for it.

I will keep searching for a suitable replacement again and will let you know if I find anything interesting… Fedora Mate has been my second choice but it’s not as sleek and sexy as #! is/was…

As for the statement made by Philip:

I don’t believe that would be in the best interest of its users, who would benefit from using vanilla Debian

I’d like to point out that myself and a vast amount of Linux users started with either a Debian or Ubuntu base and for the same reasons he created #!, we have been migrating away from the vanilla builds of these flavors. Ubuntu because of their decision to initially move to Gnome3 and then to Unity combined with their privacy issues and all and most other Distros moving to Gnome3 more and more people are finding sleek flavors like #! a choice among choices. True, we can always remove the default desktop crud and give it a face lift; but which new comer to Linux has time and experience to do all that and risk breaking their system? People just want a great out of the box experience.

Hopefully Bunsen Labs Linux comes along with an ISO soon so others can start to install to their machine. I’ll be testing with their scripts shorty and give a writeup on what I experience. Their work is hosted on GitHub here

Bash ‘Shell Shock’ bug blasts OS X, Linux systems wide open

A bug discovered in the widely used Bash command interpreter poses a critical security risk to Unix and Linux systems – and, thanks to their ubiquity, the internet at large.

It lands countless websites, servers, PCs, OS X Macs, various home routers, and more, in danger of hijacking by hackers.

The vulnerability is present in Bash up to and including version 4.3, and was discovered by Stephane Chazelas. It puts Apache web servers, in particular, at risk of compromise: CGI scripts that use or invoke Bash in any way – including any child processes spawned by the scripts – are vulnerable to remote-code injection. OpenSSH and some DHCP clients are also affected on machines that use Bash.

Ubuntu and other Debian-derived systems that use Dash exclusively are not at risk – Dash isn’t vulnerable, but busted versions of Bash may well be present on the systems anyway. It’s essential you check the shell interpreters you’re using, and any Bash packages you have installed, and patch if necessary.

Security expert Kenn White tweeted:

You can check if you’re vulnerable by running the following lines in your default shell, which on many systems will be Bash. If you see the words “busted”, then you’re at risk. If not, then either your Bash is fixed or your shell is using another interpreter. Continue reading Bash ‘Shell Shock’ bug blasts OS X, Linux systems wide open

agedu for keeping up with disk usage in Linux

A few months ago I was tasked with tracking down whatever it was that kept devouring all the disk space on one of our servers. Not too hard except it’s a Linux server and I did not want to put in the effort to shell in and run commands every time something happened and I certainly did not want to have to get this one server into our production environment as it was used mostly for QA to keep their stuff.

I looked around to see if there was an easy solution and ran across agedu (age dee you) and I got them setup with it so they could do their own searches. The process to clean up disk is to track down the culprits and delete them, aged does a full drive scan and displays reports that show how much space is being used by each directory and file. It even shows the access time range for each directory.

The du vs aged thing

Yes, you could just run du and get a summary of disk usage; but, aged actually takes things to another level by distinguishing between data that is still being used and ones that are not been accessed for some time so it not only finds what is using up the most space, but also what is wasting your space by just taking up space and not being used.

From the aged site

Unix provides the standard du utility, which scans your disk and tells you which directories contain the largest amounts of data. That can help you narrow your search to the things most worth deleting.

However, that only tells you what’s big. What you really want to know is what’s too big. By itself, du won’t let you distinguish between data that’s big because you’re doing something that needs it to be big, and data that’s big because you unpacked it once and forgot about it.

Most Unix file systems, in their default mode, helpfully record when a file was last accessed. Not just when it was written or modified, but when it was even read. So if you generated a large amount of data years ago, forgot to clean it up, and have never used it since, then it ought in principle to be possible to use those last-access time stamps to tell the difference between that and a large amount of data you’re still using regularly.

agedu is a program which does this. It does basically the same sort of disk scan as du, but it also records the last-access times of everything it scans. Then it builds an index that lets it efficiently generate reports giving a summary of the results for each sub-directory, and then it produces those reports on demand.

Continue reading agedu for keeping up with disk usage in Linux

How to fix missing Tigon firmware on Debian

You are upgrading your Debian server when you get an error about missing tigon firmware like this one:

W: Possible missing firmware /lib/firmware/tigon/tg3_tso5.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3_tso.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3.bin for module tg3

What do you do?

Fear not citizen, we got you covered. The error is brought on by systems that have a Tigon Gigabit ethernet controller installed. Here is how to fix it.

apt-get update && apt-get install firmware-linux-nonfree

To find out what firmwares are included in this non-free package run:

aptitude show firmware-linux-nonfree

Continue reading How to fix missing Tigon firmware on Debian