Earlier in the day today Red Hat made an announcement [1] that there had been an intrusion into some of their computer systems last week. In the same announcement they mention that some of the packages for OpenSSH on RHEL-4 ( i386 and x86_64 ) as well as RHEL-5 ( x86_64 ) were signed by the intruder. In their announcement they also clarified that they were confident that none of these, potentially compromised, packages made their way into or through RHN to client and customer machines. As a security measure a script [3] was made available along with a semi-detailed description of the issue [2].

We take security issues very seriously, and as soon as we were made aware of the situation I undertook a complete audit of the entire CentOS4/5 Build and Signing infrastructure. We can now assure everyone that no compromise has taken place anywhere within the CentOS Infrastructure. Our entire setup is located behind
multiple firewalls, and only accessible from a very small number of places, by only a few people. Also included in this audit were all entry points to the build services, signing machines, primary release machines and connectivity between all these hosts.

Since OpenSSH is a critical component of any Linux machine, we considered it essential to audit the last two released package sets (openssh-4.3p2-26.el5.src.rpm, openssh-4.3p2-26.el5_2.1.src.rpm ). I have just
finished this code audit, and can assure everyone that there is no compromised code included in either of these packages. A similar check is also being done for the CentOS-4 sources.

Packages released today, by upstream, ( based on : openssh-4.3p2-26.el5_2.1.src.rpm, openssh-3.9p1-11.el4_7.src.rpm ) address two issues. Firstly they contain a fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4752 . And secondly, in the remote event that someone had indeed got compromised packages via RHN, their packages would get updated to a known good state. We wanted to get these packages out right away to address the first issue, and also to cover users converting non updated RHEL installs to CentOS in the next few weeks/months. Release of these packages into the mirror.centos.org network does *not* imply that CentOS users are affected by the intrusion at Red Hat.

Finally, while we feel confident that there is no possibility of this compromise having been passed onto the CentOS userbase, we still encourage users to verify their packages independently using whatever resources they might have available.

--

[1]: https://rhn.redhat.com/errata/RHSA-2008-0855.html

[2]: http://www.redhat.com/security/data/openssh-blacklist.html

[3]: https://www.redhat.com/security/data/openssh-blacklist-1.0.sh :Its important to note that this script *only* checks for packages built within Red Hat, and will *not* be a reliable source of verification on CentOS since we rebuild from sources, using no Red Hat binary.

I'm back in London now and slowly getting back into the swing of things.

- KB

Just had news this afternoon that my Grandma, who was already in hospital for a few days, has taken a turn for the worse and the doctors are worried that she isnt improving as fast as she should. So, I am heading off to India to be with my family for a bit. I will still be on email and mobile phone ( prefer SMS rather than Voice ).

All the various projects I am involved with will still keep on moving along, maybe a bit slower over the next few weeks.

- KB

Some people will notice that a second set ( i386 x86_64 ) of announcements were just made to address the issue raised in CVE-2008-1447 after the initial announcement ( i386 x86_64 ).

These are indeed newer packages based on bind-9.3.4-6.0.2.P1.el5_2 ( the original update was based on bind-9.3.4-6.0.1.P1.el5_2 ). Reason for this reissue from upstream is explained at : https://bugzilla.redhat.com/show_bug.cgi?id=454852 and I highly recommend you look at it. Specially if you run ipv6 on the wire.

Of-course it would have been nicer if upstream had issued another RHSA rather than just update the existing one with newer packages. I wonder if there were operational issues or release process issues to blame for this.

- KB

I looked and found nothing for this, so wrote this quick fact for puppet.

# centos_version.rb

Facter.add("centos_version") do
  setcode do
    %x{/bin/rpm --qf "%{version}\n" -q centos-release}.chomp
  end
end

Once its in your facts/ you can do things like this in your puppet manifests :

case $centos_version {
4: { ... }
5: { ... }
default: { .... }
}


- KB

[root@joey3 ~]# for f in `seq 1 10 `; do ntpdate 0.centos.pool.ntp.org; sleep 1 ; done 
10 Jul 17:48:55 ntpdate[2006]: step time server 78.46.38.139 offset 17.982743 sec
10 Jul 17:49:25 ntpdate[2010]: step time server 213.251.134.188 offset 27.869019 sec
10 Jul 17:50:11 ntpdate[2014]: step time server 78.46.38.139 offset 44.234084 sec
10 Jul 17:50:42 ntpdate[2018]: step time server 193.65.58.58 offset 29.423324 sec
10 Jul 17:51:14 ntpdate[2022]: step time server 78.46.38.139 offset 29.235468 sec
10 Jul 17:51:21 ntpdate[2026]: step time server 213.251.134.188 offset 5.136763 sec
10 Jul 17:51:39 ntpdate[2030]: step time server 213.251.134.188 offset 16.063417 sec
10 Jul 17:52:10 ntpdate[2034]: step time server 193.65.58.57 offset 28.965800 sec
10 Jul 17:52:44 ntpdate[2038]: step time server 213.251.134.188 offset 31.710727 sec
10 Jul 17:53:19 ntpdate[2042]: step time server 213.251.134.188 offset 33.299126 sec

So I have this Seagate 7200.11 500GB sata drive that's sort of died on me. Smartctl says Failed and pretty much anything that touches the drive returns 'Media failure' messages from the kernel. Next step I guess is to RMA the thing back to Seagate. But there seems to be something really odd. I can get to the warranty checker, type in the serial number, product code and select where I live, and it confirms that the warranty is till Nov 2012. Awesome so far. But the 'create rma' button just leads to a page that says 'This service is unavailable'.

Quite odd that they would go through the effort of getting the whole warranty checker etc online and not have a way to file for rma online. But then I've never had to go back to seagate before, the last time I had an issue with a seagate drive, my vendor sorted it out. hummm

-- KB

We found a very major issue with the last set of ISOS for 5.2 meaning I had to redo the distro isos today. We should start seeding the mirror network in the next 24 hrs time, so release should still be 23rd June, give or take a day or so.

UPDATE: 2008-June-23 : We found yet another issue with the x86_64 tree, so while some of the updates are now syncing out, please wait for the release announcement before pulling packages and the isos.

--
Karanbir Singh [ http://www.karan.org/ ]

I've just been looking at Thunderbird 3.0Alpha and it cant sent email when smtp login is required and 'secure authentication' is selected... wtf!

Many people will jump and point out that smtp isnt meant to be a secure transport, however since pretty much everyone supports secure logins these days and smtp-over-tls or ssl, and many mta's using secure transport, it can be atleast semi secure. Specially within mail domains that one might be able to influence. So whats the deal with Tb3.0 ?

Agreed, its an Alpha release and they might get it resolved before release.....

- KB

Does anyone have a Lirc ( http://www.lirc.org/ ) compatible remote they would like to recommend ?

- KB

Looks like something is muchly broken at freshmeat.net at the moment. I can get to the site no problems, just that the site has no content on there. And thats odd. Here is a screenshot of what it looks like on my side at the moment. does not seem to have this issue. Odd'ness. Perhaps a broken node in the :80 cluster ? Humm

- KB

Hi,

If you have sent me email or trying to contact me over the last couple of days and not had a response, I will get in touch with your shortly. I've been quite unwell and am recovering. The plan is to be back in action full time, sometime early next week.

If you have something urgent, you can always call and leave a message on my mobile phone ( I am clearing those out regularly ).

- KB

Matthew and I spent sometime today working on getting the CentOS-5 installer done so it works out of the box for network installs onto an EEEpc.

For now, take a look at his post, and the pictures he has posted online. More details from my side as soon as I can get my notes etc sorted out. There are a few issues that still need attention, but we are looking fairly good so far.

- KB

So, following up on my last blog post about editing text areas using an external editor I remembered that in the past there used to be an addon that could do view source in external editors / viewers and checking again, it seems that you can now edit text areas as well using the same addon. Its called *drum roll* ViewSourceWith written by David Ficano.

From their homepage, these are the goals:

- open page source as DOM document, read faq
- open CSS and JS files present on page
- open images using your preferred image viewer (e.g. GIMP or ACDSee)
- open PDF links with Acrobat Reader or Foxit Reader or what you prefer
- edit textboxes content with your preferred editor and automatically see modified text on browser when you re-switch focus on it, this simplifies wiki pages editing, read faq
- open server side pages that generate the browser content, this simplifies web developer's debug, read server-faq
- open files listed in Javascript console. When editor open file the cursor can be moved to line number shown on javascript console, read js faq

I've just installed it and the UI is much easier to work with ( Dag is going to like this one a lot more ). Dont have rpms as yet, but there will be some shortly. For now, just install it from their website.

- KB

Everyone has an editor of choice, and when it comes to editing text areas, like wiki content or even just generic contact forms and doing posts in forums or blogs its quite irritating to not get access to that editor.

The only way to get access to that editor is to have it launch on some hot key, then when the textarea box comes up, do a select-all, cut and paste that content into the editor - then when you are done, select-all from the editor and paste that into the textarea. You could do this by hand, but its quite a pain. In most cases it then boils down to which kind of pain you want to suffer. The lack of a decent editor built into firefox, or the copy + paste pain of moving content between apps. The best medium would be if there was an app that would do this for you, and there is. Called 'Its all Text!. And its a addon to firefox that does just this sort of a thing. The project home page is here.

You install it as an addon, go into the preferences and select what editor you want to use. Then when a textarea comes up, a small button comes up, by default on the lower right corner and clicking that will launch your editor, with the command line specified and let you do the edit etc. When you are done, just save and quit. the addon will check the tempfile it setup for changes, and paste them back into the text area. If you want the 'edit' button somewhere else you can change that in the addons preferences. I prefer the top left instead of the bottom right - since in lots of cases, the text area for wiki pages etc is quite large and I dont get the bottom right without needed to scroll the window a bit.

RPMS for CentOS-5 are here : i386 x86_64 Just click the Arch you need them for and it should install the addon.

- KB

Been working with Johnny on getting the CentOS-5 Installer sorted to work on Sparc ( essentially any recent Sun hardware including the UltraSPARC T1 CoolThreads stuff ). However, the only Sparc machine that I have locally and is usable is an Ultra/10. Not the fastest machine on the planet, I know. Also, no one is allowed to crack jokes about it. So dont.

Anyway, getting network booting is easy for these machines, all you need is rarpd and tftpd installed on the machine. On a CentOS Machine here is how you would go about doing that :

yum install rarpd tftp-server
echo '{Mac Add of Machine} 192.168.1.45' > /etc/ethers
cp tftp64.img /tftpboot/C0A8012D
service rarpd start
{ edit the /etc/xinetd.d/tfp file and change disable=yes to disable=no }
service xinetd reload
{ on the SUN Machine, from OBP's 'ok' prompt type 'boot net' }

Couple of things to note here :

• You need the MAC Address of the machine to put into the /etc/ethers file along with the IP address you are going to allocate it. If you dont know what the MAC address is, start the machine up and look in the syslog on the machine running rarpd, you will notice a message like this :

  Feb 29 00:17:10 monk rarpd[18869]: RARP request from 08:00:20:f8:d4:c7 on eth0

  And you can get the MAC from there.

• If things dont work, edit the /etc/init.d/rarpd file and add a '-v' to the rarpd startup command line. Sometimes it helps to know what is going on.
• rarpd will, by default, check to make sure there is a tftp image that the machine can boot, however its worth telling rarpd where the tftpboot directory is, so add this to the end of the rarpd startup line in the initscript : -b /tftpboot
• The filename you copy the tftp64.img file to must be the Hex format of the IP address you allocate the machine via rarpd, and it needs to be in uppercase. For those who cant conver between decimal IP and Hex there are online calculators.

Now, time for me to get back to installing stuff and seeing what I can help Johnny fix.

- KB

So everyone seems to be talking about the Optimus Maximus Keyboard. Yes, its the one where the keytops change their display and you can customise the key's etc. Wow sounds good. Except it seems that someone missed the memo : Most people who use keyboards regularly dont actually look at the keyboard when they are doing stuff - they know where the keys are instinctively. I mean if you are going to spend a few hours per day, five or six days per week on the same device - how long will it be before you dont need to look at the keyboard ? Cant be long. I cant even remember when I had to look at the keyboard to find stuff on it. And this is me, who changes keyboards a _lot_. And I mean a lot. Like 3 different keyboards a year is my average ( just come over and look at the keyboard graveyard in the back of my machine room ).

Pretty much everytime I change the keyboard, I try and look for a new layout - that along with the laptop keyboards ( I have different layouts and styles there too ), is a good mix I think.

Anyway, if you really want to - check out the video posted at http://uk.gizmodo.com/2008/02/26/video_the_worlds_coolest_keybo.html about the Optimus Maximus. The coolest keyboard around, that is of no use and doesnt even look all that great really.

- KB

I've got one of these machines, running CentOS-5/i386 :

processor       : 0
vendor_id       : CentaurHauls
cpu family      : 6
model           : 10
model name      : VIA Esther processor 1200MHz
stepping        : 9
cpu MHz         : 1197.077
cache size      : 128 KB
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 1
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge cmov pat clflush acpi mmx fxsr sse sse2 tm up pni est tm2 rng rng_en ace ace_en ace2 ace2_en phe phe_en pmm pmm_en
bogomips        : 2396.00
clflush size    : 64

And for some reason, the cpu speed was stuck at

cpu MHz         : 399.00Mhz

which made no sense to me. Checked cpuspeed and tried signals that should / would make it move a bit faster. Considering its a 1200Mhz machine, I'd like to see it actually run at that speed. Anyway, it turns out that some of these Via MoBo/Cpu combo machines have a BIOS based cpu governor that sets the speed the CPU can run at - and setting defaults makes it run in 'Fanless mode' at 400Mhz, setting that to 'optimized' gets the cpu going to the max speed of 1200Mhz.

Just thought something that people in similar situations might be interested in.

- KB

So, the tickets have been bought, people informed, hotel booked, and ... Visa applied for. Tuesday midday is when I find out if the Belgiam Govt did grant me a Visa or not. So depending on the outcome from there, I shall see some of you in Brussles the next weekend. Or Maybe not.

- KB

Notes:

*) The eurostar website will try and sell you 'Senior' tickets only. Ofcourse you need to be 60+ on the day of travel. Its not possible to buy non 'Senior' tickes from their website at the moment. A phone call to their website support people indicates its something they are aware of and its something they are thinking of scheduling time for to think about the fix..... *sigh*

*) Dont you think £68.50 for the 3 day Visa is a bit of a rip off ? Anyone from the Belgian Embassy.. no wait... they outsourced the visa application process to someone else.

I am back in London, but really tired. Think I might sleep a bit.

also, Virgin Atlantic is a terrible airline to fly with. If you ever get a choice, take the other airline since clearly * > VA.

- KB

Slight change in plans means I will be back in the UK and back online by the 8th/9th Feb.

cya'll then!

- KB

I am off traveling for a few days. So emails might be a bit slow and since I am going to be in a different timezone, things might even happen at odd times of the day!

If you need to, but cant find me on IRC or IM - email me instead, I will be in email contact pretty much all the time.

- KB

This is what an OpenOffice.org update does to my network here:

- KB

If you ever get stuck in a situation like this, when anything you do with rpm reports errors in the Lock table, or in the database. eg:

rpmdb: Lock table is out of available locker entries
error: db4 error(22) from db->close: Invalid argument

That can be fixed:

• Make sure that yum is not running
• Make sure that rpm itself is not running
• Backup the Packages file from /var/lib/rpm
• Make yet another copy of the Packages file from /var/lib/rpm :D
• remove *all* files in /var/lib/rpm
• Copy the Packages file you backed up to /var/lib/rpm
• as root run : chown -R root:root /var/lib/rpm
• as root run : rpm --rebuilddb

That should be it, you can now use rpm and yum again.

- KB

Quite a few people seem to have had issues posting comments with the previous b2evo version I was using, so here is an update that should fix those issues. If you still have problems, let me know.

- KB

Update: 13/01/2008 it turns out that there were some very generic regex being matched for spam testing, I've eased them up a bit. Hopefully everyone will now be able to post comments and the spam will still stay away!