Archive

Archive for the ‘Fedora Project’ Category

Wanted: A small crew for working on security bugs in Fedora

2014-07-02 Leave a comment

Do you hate security vulnerabilities?

Do you want to help make Fedora more secure?

Do you have a little extra time in your week to do a little work (no coding required)?

If you answered yes to the questions above I want you for a beta test of an idea I have to help make Fedora more secure.  I’m looking for just a few people (maybe five) to sort through security bugs and work with upstream and packagers to get patches or new releases into Fedora and help make everyone’s computing experience a little safer.  If you’re interested please contact me (sparks@fedoraproject.org 0x024BB3D1) and let me know you’re interested.

Auditing the Fedora Security Guide

2014-06-17 2 comments

It’s been a while since anyone has really gone through the Fedora Security Guide.  In the few places I’ve poked at I’ve found a massive build-up of… old stuff.  I’m quite sure that many of those commands don’t do what is said here any longer.

There are ~50 files that need to be looked at to make sure that the information is current and actually tells people the proper thing to do to secure their Linux system.  In support of this mission (that I hope to complete before the release of Fedora 21) I’ve created a wiki page that outlines the goals, explains how to help, and lists the pages that need to be audited and/or updated.  I’d appreciate some assistance if only to have more eyes looking over the pages and making comments on the wiki about things that need to be fixed.

caff gpg.conf file settings

2014-04-01 3 comments

After years of using caff for my PGP key-signing needs I finally come across the answer to a question I’ve had since the beginning.  I document it here so that I may keep my sanity next time I go searching for the information.

My question was “how do you make a specific certification in a signature?”.  As defined in RFC 1991, section 6.2.1, the four types of certifications are:

     <10> - public key packet and user ID packet, generic certification
          ("I think this key was created by this user, but I won't say
          how sure I am")
     <11> - public key packet and user ID packet, persona certification
          ("This key was created by someone who has told me that he is
          this user") (#)
     <12> - public key packet and user ID packet, casual certification
          ("This key was created by someone who I believe, after casual
          verification, to be this user")  (#)
     <13> - public key packet and user ID packet, positive certification
          ("This key was created by someone who I believe, after
          heavy-duty identification such as picture ID, to be this
          user")  (#)

Generally speaking, the default settings in caff only provide the first level “generic” certification. Tonight I found information specific to ~/.caff/gnupghome/gpg.conf. This file can contain, as far as I know, can contain three lines:

personal-digest-preferences SHA256
cert-digest-algo SHA256
default-cert-level 2
ask-cert-level <- works in lieu of the default-cert-level to ask you on each signature

I can’t find any official information on this file as the man pages are a little slim on details.  That said, if you use caff you should definitely create this file and populate it with the above at a minimum with the exception of the default-cert-level.  The default-cert-level should be whatever you feel comfortable setting this as.  My default is “2″ for key signing parties (after I’ve inspected an “official” identification card and/or passport).  The other two settings are important as they provide assurances of using a decent SHA-2 hash instead of the default

Fedora Docs’ FAD 2014

2014-03-23 Leave a comment

It’s good to get a team together, face-to-face, that usually only meets virtually via IRC on occasion.  The Fedora Docs Project team recently had such an opportunity when they met in the Red Hat offices in Raleigh and Brno.  Linked by a video teleconference, the two groups converged to discuss new work-flows for Publican 4, hacking on some guides, discussing management issues, and working to get the new Docs website built and configured.  Here are some of the highlights of the event:

Work-flow update for Publican 4

The release of Fedora 20 also saw the release of Publican 4.  Publican 4 isn’t quite backwards compatible with the Publican 2 we were using so an update to our work-flow was necessary.  We’ve also made it to a point in our work where using the old web.git repo for publishing just isn’t working any longer.  The new way of publishing involves using Koji to build our documents in RPMs and place them safely into a repository where they can be grabbed by our backend server and be published to the world.  This change not only represents new commands but also a different mindset to publishing.  The new procedures were documented and tested so we’ll be able to start utilizing these as soon as our backend server gets fixed.

Guides hacked upon

You know those guides that seem to languish?  Yeah, I’ve got a few of those.  I did spend some time working on a few guides that will hopefully go live for Fedora 20 or 21.

Accessibility Guide

The Accessibility Guide has really taken a backseat in recent releases.  I’m not sure much has changed for many users but it’s good to keep the document current for any new users that may require a little assistance in making their computer work for them.  I was able to take a lot of stuff out of the guide, mostly GNOME packages that are no longer in Fedora and add a couple of packages I found for KDE.  I’m hoping I can do a better review of what’s available in Fedora before Fedora 21 comes around.

Amateur Radio Guide

I finally got around to adding CQRLOG to the guide.  I really love CQRLOG as a logging program so I’m happy to share some of that information with other amateur radio operators that come to Fedora looking for a FOSS solution for their radio activities.  John made a few additions as well so I suspect the next release will have some added goodness that people should find helpful.

Documentation Guide

This is where I spent most of my time working.  The style guide was moved from the wiki into the guide and other useful information was added as well.

Jargon Guide

This guide has never really seen the light of day.  This is due to the fact that translations of this guide would be nearly useless as they wouldn’t be in any particular order.  Publican 4 fixes this long-standing bug and so I, once again, have hope to publish this book.

Security Guide

Yeah, there’s always some hacking on the security guide when I’m around.  This time there was some testing of the new Yubikey Neo and getting them to do tricks inside Fedora.

New backend server

Jared worked very diligently to create a new backend server.  Unfortunately the documentation was lacking and so we weren’t able to complete the build.  Work continues on this effort.

Videos of the FAD

Because most of the event took place over our video chat you can watch the videos from the meeting: Friday, Saturday, and Sunday.

New version of CQRLOG available for testing in Fedora repos

2014-01-31 Leave a comment

Just two short weeks after the release of the previous version of CQRLOG, version 1.7.1 has been released to the public with the following bugfixes:

  • “When TRX control is not active, use frequency and mode from NewQSO window” option to Preferences->Band map added
  • CTRL+N hotkey to QSO list window added (do NOT send QSL)
  • TRX control window was not sizeable – fixed
  • when ESC was pressed twice in Remote mode, log crashed – fixed
  • program crashed when freq was entered with comma as decimal separator – fixed
  • broken grid square statistic fixed

If you can, please evaluate this new package and provide karma.  The new package should already be in rawhide.

CQRLOG 1.7.1 for Fedora 19

CQRLOG 1.7.1 for Fedora 20

Configuring offlineimap to validate SSL/TLS certificates

2014-01-30 Leave a comment

I recently upgrade to Fedora 20 and quickly found my offlineimap instance failing.  I was getting all kinds of errors regarding the certificate not being authenticated.  Concerned wasn’t really the word I’d use to describe my feelings around the subject.  Turns out, the version of offlineimap in Fedora 20 (I won’t speculate as to earlier versions) requires a certificate fingerprint validation or a CA validation if SSL=yes is in the configuration file (.offlineimaprc).  I was able to remedy the situation by putting sslcacertfile = /etc/ssl/certs/ca-bundle.crt in the config file.

I won’t speculate as to the functionality in earlier versions but checking to make sure the SSL certificate is valid is quite important (MITM).  If you run across a similar problem just follow the instructions above and all should, once again, be right with the world.

Categories: Fedora 20, Integrity, Security Tags: , ,

Fedora F21 Election schedule slip and moving forward

2014-01-24 Leave a comment

As posted earlier on the Fedora Announce List.

The F21 Election schedule slipped and I’ve reworked the election schedule. Please note that we’ve opened up input for the questionnaire so there is still time to ask a question if you haven’t already done so. Additional information will be transmitted per the schedule.

Fedora Board Elections

There are two nominations for two open seats on the Board: Neville Cross and Haïkel Guémar. Because there were no other challengers we won’t hold an election or townhall for these candidates.

FESCo (Engineering) Elections

There are six nominations for four seats on FESCo: Stephen Gallagher, Dennis Gilmore, Miloslav Trmač, Marcela Mašláňová, Toshio Kuratomi, and Kyle McMartin. Because there are challengers for the seats we’ll hold a townhall and an election based on the updated schedule[0]. Input for the questionnaire for the candidates has been reopened until 23:59UTC on 27 January 2014.

FAmSCo (Ambassadors) Elections

There are four nominations for three seats on FAmSCo: Neville A. Cross, Truong Anh Tuan, Marcel Ribeiro Dantas, and Jon Disnard. Because there are challengers for the seats we’ll hold a townhall and an election based on the updated schedule[0]. Input for the questionnaire for the candidates has been reopened until 23:59UTC on 27 January 2014.

Categories: Fedora 21, Fedora Project

New CQRLOG package available for testing

2013-11-15 Leave a comment

I’ve just built the latest version of CQRLOG, version 1.6.1, for Fedora 18 through 21.  The packages are being pushed to the updates-testing repos now and should be available soon.  If you use CQRLOG in Fedora from the repositories I’d appreciate you testing this latest build and giving karma if it works (or doesn’t work) for you.

This update provides the following enhancements and bugfixes:

  • 630M band added
  • added OQRS (online QSL request system) to QSL sent menu
  • added “Always sort by QSO date” option to Search function
  • cursor is moved to last opened log in DB connection window
  • “Ask before creating a backup” option to “Auto backup” added
  • band map is much faster, a few optimization added
  • program freezed for a few milliseconds with every bandmap refresh – fixed
  • “MySQL server has gone away” problem fixed
  • membership values collation were case sensitive – fixed
  • ADIF import sometimes crashed with access vioalation, now will show what happened
  • qrz search with right click on a call in the recent QSOs list didn’t work
  • band map font settings was not loaded when program started

Thanks!

Reflections on Trusting Trust

2013-09-18 1 comment

Reflections on Trusting Trust

This is an old paper written back in 1984 by Ken Thompson.  Mr. Thompson describes why it is so difficult to trust software even when you have access to the source code.  We are now reading daily about how the NSA has access to our network communications and even our computers.  If they have access you can believe that others, completely unrelated to the NSA, have access as well through many of the same software bugs or network connections.  It will be difficult to figure out how to get past these problems.  Fortunately we do have smart people thinking about these things daily.

Categories: Fedora Project, Integrity, Security Tags:

Fedora still vulnerable to the BEAST

2013-09-12 5 comments

This morning I was greeted with a blog post from the fine folks over at Qualys on how BEAST isn’t really still a threat (unless you are using an Apple product).  BEAST, a vulnerability found in SSL and TLS 1.0, was discovered around this time a couple of years ago and put web users in a precarious position of using a poor cipher choice (RC4) or be vulnerable.  Not to worry, however, as developers were able to come up with a solution to the problem (n/n-1).

So I mentioned the Qualys article in my $dayjob IRC channel where my always awake coworker provided information that Fedora is, in fact, still vulnerable to the attack.  Thanks to a problem with pidgin-sipe connecting to a Microsoft server, the n/n-1 split was backed out of the NSS software leaving anything that depends on it potentially vulnerable (Chrome, Firefox, and Thunderbird to name a few).

There is a fix, although it’s not fantastic by any stretch of the imagination.  By simply adding these two lines to your /usr/bin/firefox file the vulnerability should be fixed:

NSS_SSL_CBC_RANDOM_IV=1
export NSS_SSL_CBC_RANDOM_IV

We added these two lines at line 36 and restarted Firefox.  My way-too-awake coworker did a test and confirmed that it was working in his environment.  Your mileage may vary.

Hopefully the fix for BEAST can be reapplied to NSS in Fedora soon as leaving users exposed can be dangerous.

Thanks to Hubert Kario for pointing me, and walking me, though this stuff before my morning coffee.

Update: 2013-09-12 @ 14:30 UTC

Apparently this problem will be persistent according to the NSS package maintainer.  From the ticket:

I bit of information from the nss side of things. The nss disabling patch is not applied on Rawhide or f20, onlt applied on stable branches. After we branch Rawhide for the next fedora release and we enter in Alpha, I send emails to the fedora development mailing list telling them that NSS_SSL_CBC_RANDOM_IV=1 will be the default as they use updates-testing and ask for feedback on whether it causes problems. Twice they have said it still causes problems. There are still unpatches servers out there. Once we go beta I have to enable the patch again. f20 is entering Alpha soon so I’ll send that email again. I know this bug is for Firefox but I though worth informing you that we monitor this every six months for nss.

Update: 2013-10-10 @ 15:22 UTC

After several weeks of inaction I’ve filed a ticket with FESCo to hopefully compel NSS to be remedied and any software that breaks with this fix should be patched to undo the fix.

Update: 2013-10-17 @ 10:32 UTC

I believe this problem has been fixed (finally!) for Fedora 19 and beyond.

Follow

Get every new post delivered to your Inbox.

Join 212 other followers