Remotely exploitable bash bug

[Update: 9/25/2014 - A quick check shows that opensuse has a patch for this for 13.1, and presumably for 12.3.  You should update your system as soon as possible.  An email message in the factory mailing list explains why this is not yet fixed for factor and contains a pointer to where you can update bash if your system is running public services (such as a web server.]

This will be brief.  Information is coming out about CVE-2014-6271, a bash bug which is potentially remotely exploitable.

I suggest you do a web search for “CVE-2014-6271″ if you are looking for information.  Information on this bug was embargoed until a few hours ago, so better information will soon start turning up.

The bug itself is with the use (and mishandling) of environmental variables, particularly when they define shell functions.  The concern is that this might be a vector of attack via shell scripts that can be invoked remotely, such as cgi-scripts on web servers.

I’m not personally concerned.  I am not running a web server, and I doubt that I have any easy attack points for this bug.

There’s no information on when opensuse will fix this, though they are working on it.  The bug is mentioned in the opensuse mailing list, which is where I heard about it.

OpenSUSE 13.2 Beta1 is available for testing

The beta1 release of 13.2 was made available yesterday.  Here’s the announcement:

and here’s the download page:

Yesterday, I downloaded and did a couple of installs.

Quick summary

My installs went pretty smoothly.  They are better than I have previously seen with beta releases.  Still, there were some install quirks and I’ll go through those below.

Read More…

Opensuse factory and opensuse 13.2 – status

Here are a couple of interesting links that I saw today:

I’ll add my own comments here.

Factory

The first of those links is about the number of adoptions of factory.  It is good to see that the number has been growing.  However, I’l suggest a bit of caution in interpreting them.

I’ll use myself as an example.  When went with Tumbleweed on one of my systems, I first installed 13.1 as a clean install, then switched it to Tumbleweed.  I expected to continue to update that until 13.2 is released.

Read More…

Opensuse live KDE factory snapshot 20140820

Most of my installs have been with the DVD image.  I decided it was time to try out the live KDE image.

I mainly wanted to test out the new NetworkManager applet for KDE, and for a good test I needed to do that on my laptop.  I had previously been using factory snapshots on desktop machines rather than laptops, so with an ethernet connection rather than WiFi.

Downloading

It was easy enough to download the image.  I looked in the download directory to see what was there, and then copied the link for the 64-bit KDE live image.  I used “aria2c” to download the iso.  Then I downloaded the sha256 checksum (I just appended “.sha256″ to the link I had copied).  I used the checksum to verify that I had a good download.  I would have preferred a gpg signature, but we make do with whatever is available.

Next, I wrote that iso file to a USB.  The USB device shows up as “/dev/sdd”, so I used the command:

# dd_rescue openSUSE-Factory-KDE-Live-x86_64-Snapshot20140820-Media.iso /dev/sdd

to create the live USB. Read More…

Opensuse factory 20140816 and Nvidia graphics

A few days ago, I decided to install the latest factory snapshot on my older computer — the one with a Nvidia Geforce 6150LE graphics card.  Mostly, it was uneventful, except for issues related to the Nvidia graphics.  The install itself went smoothly.  As we move closer to the release time for opensuse 13.2, the factory installs seem to be going well.

Installing

I actually installed factory snapshot 20140813, in spite of what I listed in the title above.  This replaced the kubuntu 14.04 that I had previously installed in the spare partition of this computer.

As is my usual practice, I downloaded the iso image for the full DVD installer from the factory download page.  I used “aria2c” for the download.  I gave “aria2c” the link for the iso, and it managed to find the meta file that it needs.  The download was smooth.

Read More…

Factory notes — Gnome classic and kdewallet

I am continuing to use opensuse factory.  Today, it updated to the 20140805 snapshot.  Factory continues to be mostly working as it should.  Here I’ll post a few notes about how it looks.

Gnome Classic

The Gnome Classic extension was introduced for opensuse 13.1.  However, it never quite worked.  I was able to get it working by switching to “gdm” as login manager.  But I don’t much care for “gdm”, so I soon switched back.

Both “kdm” and “lightdm” have menu selections to login to Gnome.  However, they didn’t work.  With either of those as login manager, selecting “Gnome Classic” resulted in a login to Gnome.  The Classic extension was not activated.

There is a way to manually load Classic once you are in Gnome.  I’ve tried that, but I don’t remember the details (it did work).

Read More…

Opensuse factory as a rolling release

I’ve  been running factory on my desktop for a while now.  And, overall, it has been doing well.  This updates my experience.

There was a hiatus of around three weeks between the last snapshot in June, and the 20140721 snapshot.  The factory repos were not updated during that period.  This was apparently due to the errors that were showing up in the openQA testing.  In a way, that’s a good sign.  It indicates that the opensuse team really is trying to avoid giving you a broken installation.

The 20140721 snapshot

When the 20140721 snapshot was published, there was an admission that there was still some brokenness.  I updated my system anyway, running

zypper dup

from a text console.   And that worked out pretty well.  I did not run into any serious problems.  Gnome 3 would now run, which it had not done after the previous update (Intel video problems).  There was a minor problem with akregator.  When I shutdown akregator, the KDE crash reporter shows up.  It looks as if akregator is crashing during the last stages of closing.  But it has already saved any volatile data, so the problem is at most minor.

Read More…

Blogging notes

A couple of notes relative to reading and posting blogs.

Double posting – they fixed it

For several months, I have been plagued with double-posting issues.  No, posts have not appeared twice.  But, when I follow posts via my RSS reader (akregator), many posts have shown up there twice.  This has mainly been a problem with wordpress.com hosted blogs.  This has been going on for several months.

When I investigated, I could see what seemed to be happening.  I’ll illustrate with an example:

Read More…

Nvidia, factory and opensuse 13.2

Yesterday, I decided to recheck the nvidia site for drivers.  And it turns out that they have a new bunch of drivers there.  For my card, they now have 304.123.  On my last check, around two weeks ago, the latest that they had was 304.121 which did not work with a factory install — factory is mostly a preparatory version leading toward a future 13.2.

I hastily installed a recent factory snapshot on my older Dell box (the one with the nvidia card).  I actually installed on an external drive,  because this was mostly for testing.

After install, I proceeded to install the nvidia driver the hard way.  I then rebooted to test.  And it is working very well.

Progress toward opensuse 13.2

As previously posted, the opensuse team have turned factory into a kind of rolling release.  I have it running on a test system, and it does seem reasonably stable apart from a problem with Intel graphics on Gnome.

The way it works, is that new software is first built on OBS (the Open Build Service), and snapshots are periodically taken and tested at OpenQA.  Only if the tests are satisfactory, are the newly built packages moved to the factory repo.

To keep my factory install up to date, I periodically run

zypper dup

My current practice is to use CTRL-ALT-F1 to open a terminal (console) session, login there as root, and run the command to update from there.  I most recently did that this morning. Read More…

Follow

Get every new post delivered to your Inbox.

Join 36 other followers