Fedora@LISA2016: Event Report

LISA 2016 (Large Install System Admin “Sysadmin” Conference) 2016 Dec 4-9th,2016, Expo Dec 7-8th,2016.  Hosted Sheraton Downtown Boston.

Attending Ambassadors, Fedora Contributors included: Corey Sheldon (linuxmodder), Nick Bebout (nb), Mike DePaulo (mikedep333), Beth Lynn (bethlynn), Matthew Miller (mattdm), Stephen Gallagher (sgallagh).  Having a rather nice spread of the Fedora Community among us made for a very productive display and sidebar chats amongst ourselves and the Redhat / Centos Table folks we were with. Among us were several conference talk attendees and even a GPG Signing Party (as a BoF).

Day 1 — Wednesday — (Expo):

Things started off a bit sluggish til just after lunch when there was the first break from all talks on Wednesday.  We had folks from all sectors of the industry coming to the booth, and they had mostly upgraded to 25 already.  A few common questions revolved around what was in the pipeline for modularity and issues/gripes with systemd.  Being a ‘ Large Install`  centric conference we saw plenty of folks also asking about using Dockerfiles and cockpit, which mattdm so happily had displayed on one of the two monitors we had been provided at the booth.  Thanks to some pesky hardware or a bad burn, we even had the pleasure of helping one of our own clean install F25 at the booth (bethlynn).  Among several of the talks that some of us attended there were:  Beginner Wireshark, SRE: At a Startup: Lessons from LinkedIn, SRE: It’s people all the Way Down, The Road to Mordor: Information Security Issues and Your Open Source Project. Also of interest to both booth staff and many attendees was LISA Build, think of that as a Cisco NET+ hands-on event, where all skill levels learned/taught things on building networks, configuring routers/load balancers and setting up native IPv6.  Day one ended with a small number of DVDs (F24, as F25 media was not just available) about  75% of our unixstickers supply and about 50% of the combined USBs from the RedHat / Centos booths.

Day 2 — Thursday — (Expo):

Day 2 started at 10a as far as the expo was concerned but several of the team took advantage of the late start to visit local restaurants for breakfast, braving the wind and cold all the while.  Day 2 saw a lot of the same questions and some more complex questions regarding more complex deployments including ones with advanced SELinux and docker images which given the selection of talks that day was quite understandable.  There were several BoFs (Birds Of a Feather) talks on day 2 as is customary at LISA conferences, the note-worthy one from the Redhat / Fedora / CentOS team was the GPG key signing party which saw less than expected numbers with only 13 attendees but several were either new to key signing or the practice itself. As an uncommon occurrence would have it 3 of the attendees (including Nick Bebout the organizer) that were CACert validators, which would have allowed any interested folks to get over the required 100 points to become a certifier in their own right, sadly this is an aspect of the Web Of Trust (WoT) that is too under publicized.

Several of the booth staff stayed for the Thursday night Google Ice Cream Social, which is always a great networking event that is very low key and laid back.  Nick Bebout (nb) even won (via raffle) a signed copy of the SRE book on website optimization.

All in all, while we still had media on the table at the conclusion, we shared plenty of the other swag and had PLENTY of awesome user interactions with seasoned users and new users alike.  We also had a blast talking and working out ideas amongst ourselves at the booth.

 

Dirty Cow: Privilege Escalation Exploit, Linux Kernel

Okay so likely have heard about this, if you like me use Linux daily, in your college, professional or hobbyist life but like what the heck is it really?

To paraphrase from the initial disclosure docs:

the privilege-escalation vulnerability potentially allows any installed application, or malicious code smuggled onto a box, to gain root-level access and completely hijack the device.

The programming bug gets its name from the copy-on-write mechanism in the Linux kernel; the implementation is so broken, programs can set up a race condition to tamper with what should be a read-only root-owned executable mapped into memory

So exactly what does all that mean?  It means your web facing servers and even Androids have a big time issue with multi tasking in a sense.  This bug allows for what is called a ‘race condition’  which as you may have guessed makes for a first one in wins scenario.  The bad part is that that allows the kernel to be tricked into mapping a new ‘page’  (a coding term for the memory allocation) without fully un-allocating or ‘unlocking’  the previous one. This in turn allows for a bad memory page to get into a root-owned (the almighty full system admin) which is bad news.  The process that is overwritten or bypassed is called Copy-On-Write  (hence the COW part of the name) and being that the race condition is executed by using and triggering dirty paging within or  in an effort to gain privileged access its been Dubbed Dirty CoW.  If you feel so inclined to read the much more technical details feel free to read up on CVE 2016-5195

F24 Updated ISOs available. (Kernel with Dirty Cow Patched)

It is with great pleasure to announce that the Community run respin team has yet another Updated ISO round.  This round carries the 4.7.9-200 kernel along with over 800 MB of updates (avg,  some Desktop Environments more, some less) since the Gold release back in June.

Torrents will be available at the same link as usual alongside the .iso files.

You have heard about this nasty privilege escalation bug called ‘Dirty Cow’ , well rest assured the infected farm and farmer have been found and the vaccine has been applied to the kernel in these updates. More info on ‘Dirty Cow’  on my blog post on it here.

Below are the contents of Both CHECKSUM512-20161023 and HASHSUM512-20161023 (the later is torrent hashes):

cat CHECKSUM512-20161023

(Clearsigned with 0xF59276298D2264944)

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

8d1c8b9637b1ccc16233ae740e6e0137485574a6f02ab05e66e5a6fb8d5c18a6671395e14341e2cb45f902cd20a4ef987bd83265b68932b8c2183ff2b5194e5e F24-source-20161023.iso
aee5e894dc6b34e207aaa0f23f7a4fd6d16577846d5f7ab3568a234f9e0b2bea1ae814a2291852cb2dbba3930b046ce31cffbcadaf5bff72208a36176eabbecd F24-x86_64-CINN-20161023.iso
6875a43e59a899e4520260e19fb28bb7ade59565b46fc6ad4f22ca8da01c57822ca7ed9373f795377dfaf750d28b6df6c1c083da5d5a0628f8d26553fb744ea0 F24-x86_64-KDE-20161023.iso
197ea70be8337f97f60e2558188e82f53eae0208d3166a7356267dc515e0b7c6204e4b5aae1ae4b44150ff59881a7c2b3d8c998e9dd715872d8c2fe1fe0485c3 F24-x86_64-LXDE-20161023.iso
7f4b48998cb716042a899089f1b292aa77ce5fca44c8d69ceb25f8769da5d9bbe2b29cef728630ae643ad4fc290c64adf270debb228454e620509f039294849c F24-x86_64-MATE-20161023.iso
ffb77a60e5895d4521c58efcbb41bb6afcca7a9a2b3320929cecb9422d00caa1cb7e5f23b04bae9644bf6ea0dae1ab2c9674f4f7ba243acd6250fd5e90221c1d F24-x86_64-WORK-20161023.iso
4ba2915a0ba51b870e7a51eb8d658464bac99f6d998f9f06c26ab8642fedd0212c2ab47c256c7fb5be060494dd6c8eb3279a0d84ca8516db199e45e612d2e502 F24-x86_64-XFCE-20161023.iso
—–BEGIN PGP SIGNATURE—–

iQIVAwUBWA4cJVknYpjSJklEAQJ/JA/+MU/4Xrq8fXdLRbvA4OF62ppOgwaYndi+
iU2bLNACA8251FW8V/okP4zk0yq7s2kWJpjc/ULjmBUflXaUFQJM94C8/vzkhRBF
QDi08YddEhZwcWXO+0Xut+7i8omrvGlXtlgFC9MZrzug2ZMhFBFWs+i26tTlFrsQ
LF4P6GyBu7ozNSuQMUGFz26jmC2lxpWvJHXLqgoHdpKK/TvIlUSFzO5viB4nGfaH
MoUFR8f4pSvFXzo9j7/IbzDjR3j1/UHjT8TKmGIaVlAMhtxkEXUcbpwetvZ2xl3G
rYjFWibMkeW10IAsCLJ+zXPEg0CcBL/+PXjvKHBas/A2PgD0B8VbLgXOpk26wJHq
tMEcgTGNLZqukVysr2eWRNtnaDgWvngIEL8VgtfuYTAOWR4bnpuK30ll22mEA91N
ui8djInyd37nLzVpMdlSD1gnf/OkOu5BxH4Qslw7GNZZHXNyuV1bDIAOtC67CXk3
PRYUdb3/be9MLPYjuvNdsKlUBUBFE/zPHtTOdS1susCylqjJbIWNA8DEOo8pTWmv
+npkvAb647RV20c/5nr5TL0xZvD7dTj/geBPZ8xnf3vSp/p5uNUeBOJ+2JVWj117
4q4yhEb1bEPL0vStyyoFuDHCI8wEDJkwRrZG8PE0I1m6B19lXoA/nfYWd/h6OaQ3
w0tSYvcHqpQ=
=+BTN
—–END PGP SIGNATURE—–

cat HASHSUM512-20161023

(Clearsigned with 0xF59276298D2264944)

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

c45662c568ecb116fd18e8f2fae4dedb43a17bdd F24-x86_64-CINN-20161023.iso
379d63a42b3e218cc0aefebc176eabe4c508c622 F24-x86_64-KDE-20161023.iso
89cd48b48d4b1163ac0b81fa639b40ae11fc36ae F24-x86_64-LXDE-20161023.iso
9dfb8df60faa611178d430d897ea365f3df4bd00 F24-x86_64-MATE-20161023.iso
240f78a935d54ef5c92491ee14334b14ad4d5951 F24-x86_64-WORK-20161023.iso
4af163e1162642e8d2a2632878106b94c58ac22a F24-x86_64-XFCE-20161023.iso
—–BEGIN PGP SIGNATURE—–

iQIVAwUBWA4cRlknYpjSJklEAQIbKw//U9SbHay3ma/wo1fz1atkVmabYqsAHUZP
NA4iF1iJuFIfgkDIxlnoF8cAHAnxymp13oeA5jd5Mrx8m3TsLkFlv8XRG9tSjyXp
zGtrkxCrqSMNlE71FrU7iicAhOhDa0MvX14o76Zvn03oLfeWCI+Rjl2XTHDwnxPf
vcKKrRR7QSOfD8LjbzaIm1HmnRD83uU2ZEWixdrFwcf0Ris1iiaXffnWLyi11Y0M
TYtu2UWSot/FNsa0tprqh/w0Pb1EOJz6xCjOHbUAlZg0K2WzQd8k+be3AzIaZRUs
r8HmN6xW8RqUnoojk0sbeA3uMAg6UkECbhmI//RLw89g24WBfOGE2bJpBCRIHmZp
aXohVaR9vOpUvjcovg8Ux1UzI01u8C9ncXoAfSLpouaE3iecafNswkGC5NzTKUE+
T6ipz8ORJ14dgnXW0piztf1+tg3uy+P86qcLj2cAX1UKsYPCR6/oUlAt3iO0BPbA
KJxwTNzITIZIA0V83qGQyyiPYH9vv4oP9D/bZjomOpyGchI0BlpA+ldQYXIXtXFv
o697JA8gBzYIjjdqgKZn6srRjHoWDMyLv9qKFShjtadnaKcc2zU1Z3+JA9Bshuhu
LB0ER9kVDhrAblZZZ2GqXhUvSVvZYv86qt6Jg1x/HouLHD0AaOT8oJ/9sdbJyZZl
l5Lt7JcoMH8=
=Vk0T
—–END PGP SIGNATURE—–

#RedhatDID: Retrospective and a look ahead to future events

Oct 6, 2016:  The day several Redhat trainers and industry folks met to talk about best practices and give feedback on the vision and mission ( and speed of progression) of Redhat Enterprise Linux (RHEL) and upstream /  downstream projects and products.  Among one of the most popular Sessions was the one by Robin Price and Martin Priesler on OpenSCAP which was a standing room only  session with nearly  1/3 of attendants in attendance for this talk / session.  Rita Carroll and others setup a interest list for those that would like to attend another OpenSCAP Workshop (mainly centered on a hands-on event but other venues seemed open for debate). If you’d be interested regardless of whether you like me were in attendance please email Rita @ rita@redhat.com with a simple subject line referencing OpenSCAP Workshop (Tysons Area).

All slide decks will be up on the RedHatDID site used for registration within the coming week or two ( some presenters were not  Redhat afterall).

The above link has all the info about all 4  tracks presented and the topics, If you would like more info or a company visit on any topic shown ( or maybe something more topical to your organization) feel free to contact Rita or another event coordinator to schedule.

Next Event will be on Nov 2, 2016 at the Ritz-Carlton, Pentagon City, Va  and is FREE for Gov’t folks when registering for the rest of us Industry folks that’s still only $195 for a 8 hr symposium with some of the most authoritative folks in the industry.

Git clients & servers need checked. Pre-2.7 bugs.

Courtesy of Laël Cellier we are now aware of  several rather nasty  bugs in  git versions 1.7 -1.9, even tho they were patched in 2.7  (released back in Feb, rather quietly  I may add).  The bugs stem mostly form  signed vs. unsigned  integers in a strcopy function path_name()….  okay so now in layman’s terms what the heck does all that mean?

Essentially  when you have a really long  filename or  repo using files with long names using a older version of  git,  there runs a verifiable risk that you run into what is know as a heap_overwrite   aka  100%+ of  container.

 

Source:  git-server-client bugs