Mageia Identity Security Breach

A user was able to gain access to our LDAP database and has published the email addresses and names, as well as apparent password hashes, of anyone who has signed up to However, the published hashes do not match those on record, and all capitalisation has been removed, so it is not clear that the actual passwords have been compromised. All of the passwords have since been reset as a security precaution. New rules have been added to prevent access to the LDAP server. The sysadmins are investigating how the fields were read, as the configuration should have specifically prevented this.

The passwords stored by the Mageia LDAP server are hashed and salted, meaning that the full decryption of the password, if they have actually been leaked, into a human-usable format would require significant computing power for safe and complex passwords. Despite the leaked data only appearing to be names and email addresses of users, we strongly urge users to be cautious if the password used for their Mageia account is used elsewhere, and we recommend changing passwords wherever else it is used.

To regain access to your Mageia account, the reset password link should be sufficient for all users without git access.The reset password link can be obtained by asking for a password reset on after which you’ll receive a mail with the link.

For privileged users, a sysadmin should be contacted to regain access.

We sincerely apologise for any problems and inconvenience that this might cause.

Posted in Uncategorized | 11 Comments

Spectre-Meltdown mitigation update

This update comes to us courtesy of tmb, our kernel magician:

Since we released 4.14.18 yesterday, we now are in pretty good shape with the mitigations, especially on x86_64. We now have bits in place for Spectre v1, v2 and Meltdown.

Of course over the coming weeks/months there will be more follow-up fixes upstream to cover corner cases, missed fixes and improvements for all of this…

And we still need Intel and AMD to release microcodes so hardware vendors can release updated BIOS/EFI firmwares and to the public so we can provide microcode updates in case of vendors not providing new BIOS/EFI firmwares.

Oh, and for those that like to check 🙂 The official way of checking the kernel status is:

grep . /sys/devices/system/cpu/vulnerabilities/*

We still lack meltdown support for 32bit in mga6, but we have now (Feb 9th) merged the upstream suggested patches for it in Cauldron, so a kernel with those patches will land in testing later today along with an update to 4.14.19

It still lacks some performance related bits, but we are getting there.

Many thanks to tmb for taking the time to bring us this update!


Edit: we corrected the grep command due to the helpful comments.

Posted in security | 13 Comments

Fosdem 2018 – and a very little roundup

Before we get to FOSDEM, an important update came through in the last few hours – this follows tmb’s explanation from the last roundup:

MGASA-2018-0125 – Updated kernel packages fix security vulnerabilities

Publication date: 11 Feb 2018
Type: security
CVE: CVE-2017-5715, CVE-2017-5753

This kernel update is based on the upstream 4.14.18 and and adds some support for mitigating  Spectre, variant 1 (CVE-2017-5753) and as it is built with the retpoline-aware gcc-5.5.0-1.mga6, it now provides full retpoline mitigation for Spectre, variant 2 (CVE-2017-5715). WireGuard has been updated to 0.0.20180202. This update also fixes the rtl8812au driver that got broken/missing in the upgrade to 4.14 series kernels (mga#22524). For other fixes in this update, read the referenced changelogs.

Many thanks to tmb and the other devs for all their work on this!

We’ll be back with a more complete roundup next week; now to FOSDEM, from one who has been there every year…

Mageia at FOSDEM 2018

Since Mageia was born, FOSDEM has been a very important event for us. Six times we had a booth and our General Assembly during the event, we’ve always had a Mageia dinner and there were always more ways to enjoy meeting one another.

This blog post was almost not written, though, because until less than a week before FOSDEM, it was only sure of one council member, akien, that he’d be there. However, he’d mainly be there for another really nice project, the Godot Engine. Apart from that, our application for a stand was turned down (again).

Six days before FOSDEM, names started to get added to our FOSDEM 2018 Wiki page. One day later, it became certain that ennael would be at FOSDEM and on Wednesday, the number of council members who’d go increased from 2 to 4. It was only after that, that we tried to find volunteers to help organise various ways to meet one another in Brussels.

We do regret that – we’re aware that likely more Mageians would have been there, had things been organised better and earlier!

Informal Non-GA meeting

In the end, there were at least 14 Mageia community members at FOSDEM. We didn’t all manage to meet one another, but most of us were at an informal non-GA meeting (the General Assembly is expected to be done on-line with Mumble later on, so that more council/board/association members can participate).

Most of the things said during the informal meeting will be repeated during the GA, apart from karine stepping forward as new contributor (she’ll be an existing contributor when we have the GA 😉 ) and from a remark that tmb made after ennael told us about the large number of contributors with health problems that we have. He said something like “Mageia, the distribution for people with health issues”. We all laughed, but there’s a lot of truth in that remark: contributors with health issues have always been just as welcome in Mageia as contributors in perfect health.

Mageia wouldn’t exist if it had been created by healthy people only (nor when it had been created by ill people only, of course 😉 ). Anyway, if you’d like to contribute but worry whether you’re healthy enough to be accepted: stop worrying, your contribution is just as welcome as anyone else’s. There’s no minimum amount of work a contributor should do, so find a team or a task and just contribute when you feel up to it 🙂

Mageia dinner on Saturday

Without having made a reservation, and after a good walk along many restaurants, looking for one with enough room for us, eight of us had a nice dinner in a halal restaurant, a “first time” for most or all of us. It has become a tradition to go to another place after the restaurant, to enjoy a waffle . It might not be the best tradition, though, given how much some bellies are growing.

Mageia beer event (lunch) on Sunday

During the non-GA meeting, akien proposed what might become a new tradition: meet around lunch time next day for a beer together. For some it was more lunch than beer, but in any case it was nice to have another opportunity to get together, because without a Mageia stand, there is no natural place to meet.

FOSDEM itself

It seems every year FOSDEM gets more crowded, and more and more often talks attract a lot more interested visitors than fit in the room. I didn’t manage to see ovitters, who was on the GNOME stand – it was so busy I couldn’t get near.

One of the Mageians attending found FOSDEM very difficult:  “Because of the huge amount of people I missed important speaks I wanted to attend as you had to crash and disturb the previous talk to have any chance what so ever to attend until the room was “closed”. While in a room the audio quality in the PA system was so bad I couldn’t hear anything. Because of these issues I will never go there again. I’m very disappointed and frustrated I wasted time on this. This was aimed at FOSDEM so they get criticism, the fact I enjoyed meeting you and other folks is irrelevant.”

Many talks are available as videos here: and here

Future Mageia meetings

Because FOSDEM is so crowded, meaning we couldn’t get access to a room or have a stand, it was kind of difficult for Mageians to get together. Maybe we need to consider some other venue to meet – at a less crowded and better-organised conference, or even outside a conference? Your input is very important here – please comment below, or raise your voice in the Forums or on the mailing lists.

Thanks to Marja for writing this up! W’d hoped to include some pics, but the Mageians who took them have gone all shy – maybe next week…

Posted in events, security, Weekly roundup | 8 Comments

Weekly Roundup 2018 – Week 5

The flood of updates has slowed a little this week:

sox (Mga 5, 6); java-1.8.0-openjdk (Mga 5,6); rsyncMga 5,6; gdk-pixbuf2.0 (Mga5) – as always, check Mageia Advisories for details. Along with the 409 updates that have gone into Cauldron, there’s been plenty happening!

Behind the scenes, work is still happening on the panel applet update mechanism, on further Meltdown/Spectra mitigation, and on the possible Mageia 6.1 release, so the devs and QA folks we all rely on are still very busy indeed. As always, you can check for yourself on Mageia Advisories, the Mageia AppDB, PkgSubmit to see the last 48 hours, and Bugzilla to see what’s currently happening. 

And almost daily, new and updated translations go up; hearty thanks to our translation team, who make Mageia so friendly to users around the world!

Interim info on Meltdown/Spectra mitigation

From tmb, our extremely busy kernel guru for whom we give thanks daily:

If you’re using

grep cpu_insecure /proc/cpuinfo && echo "patched" || echo "unpatched"

and you get


don’t worry – this is an invalid check. Official Linux source does not have any “cpu_insecure” flag.

If you are using   

   cat /proc/cpuinfo | grep bugs

and you get 

bugs            : cpu_meltdown
bugs            : cpu_meltdown
bugs            : cpu_meltdown
bugs            : cpu_meltdown

This tells you that you have a CPU that is affected by meltdown and needs to be protected by KPTI. The only way you can get rid of that flag is to buy new hardware. That means according to Intel their new silicon that should become a new CPU by the end of 2018; for AMD and Spectre issues, it means buying a Zen2 based CPU, that is supposed to be out sometime in 2018.

If you have used and the result is “not OK”:

That’s expected. Because:

1. Spectre variant 1 is hard to fix and also more difficult to abuse – it really needs microcode updates, and Intel botched that. According to Lenovo there should be a fix out around February 9th. AMD officially will only ship their microcode update to hardware vendors so it depends on when they will release updated bioses  or we can get the microcode through some other means. There is some code to mitigate here too, but afaik its not upstream yet.

2. Spectre variant 2 also really needs new microcode, and the IBRR/IBPB/… Kernel code mitigations have only started landing in upstream last week, and still need to be backported to the 4.14 longterm branch. And we have the alternative mitigation with minimal retpoline queued in (I plan to push this one later today as soon as I have written the advisories). For full retpoline we need compiler support, something I got patches for during Fosdem, and it’s now patched in gcc 5.5.0 in testing, so the next kernel will have full retpoline.

3. Meltdown has been mitigated since 4.14.13 was released in

NOTE. the Kernel Page Table Isolation mitigation is so far only for x86_64, but some suggested patches have been posted as RFC for i586, and should hopefully land soon-ish upstream and get backported. But then again, meltdown is not as easy on 32bit as it already has the 3G/1G memory split causing other complications.

Now I know some/many distros have “panic patched” stuff with earlier revisions of the fixes, but for example Redhat has afaik backed out of some of the spectre mitigations as it caused more problems than it fixed, so I have chosen to rely on somewhat tested code actually getting accepted and landing upstream.

That’s is where we are at the moment. If upstream keeps current pace we should hopefully have all the bits in place within ~1 week…

Thank you tmb!

In other news:

 The LQ Members Choice Awards polls are on right now. You may want to register and vote for Mageia being your distro of choice to add a little marketing “buzz” to our favourite distro. You can find the polls here:

If you are not a member of the group, you just have to register and then post one reply on their site. This then allows you to vote on various Linux poll items. Pass the word along to other Mageia supporters and make your voice count!

Posted in QA, security, Weekly roundup | 7 Comments

Weekly Roundup 2018 – Weeks 3 & 4

Apologies are due for the missing Roundup for Week 3; while the northern hemisphere has been freezing, down here in the south we have been boiling. Alas, all that heat doesn’t help with concentration! So, this is an aggregated Roundup.


February is FOSDEM month – will you be in Brussels? Even when, as this year, we don’t have a stand, Mageians love to get together at FOSDEM. Check out the Wiki Page for this event, and let people know you’re coming so meetings and the Mageia Dinner can be arranged.

Some news

We were informed that will be down and physically relocated beginning 09:00 on Thursday, February 1. It is expected to be back online by noon that day. Note that their time zone is UTC -5, US Eastern Standard Time.

Updates – Mageia 5 and 6

We’re still, like Zeno and his tortoise, not quite ready to completely finish adding updates to Mageia 5 – there are still a few of the Meltdown and Spectra-related security fixes in the pipeline. We’ll add a separate blog post for the event to keep you informed. Recent security updates to Mageia 5 include nspr, rootcerts, nss, firefox, firefox-l10n, glibc, bind, squid and gdk-pixbuf2.0. Check Mageia Advisories for more details, and note that there are no bugfix updates for Mga5.

An update to the tray applet to upgrade from Mageia 5 to Mageia 6 is in QA testing; watch out for updates to this important utility. We hope it will smooth the path from 5 to 6 for those of you who want to do the version upgrade rather than a clean install.

For Mageia 6, the security update list is even longer – webkit2, kmod-vboxadditions, kmod-virtualbox, virtualbox, graphicsmagick, nspr, rootcerts, nss, firefox, firefox-l10n, glibc, locales, systemd, bind, unbound, golang, mariadb, gdk-pixbuf2.0, gifsicle and squid. Bufix updates include joe , mpv, radeon-firmware, ldetect-lst, libdrm, mesa, wayland-protocols, x11-driver-video-amdgpu, x11-driver-video-ati, x11-driver-video-intel, subtitlecomposer, nvidia340, smtube, smplayer, cargo and rust.


In the two weeks since the last Roundup, a staggering 939 package updates have come through into Cauldron! Maybe the devs are working so hard to keep warm? Thanks to them all, and to the QA/testing and translation folks for their amazing work.

As always, you can check for yourself on Mageia Advisories, the Mageia AppDB, PkgSubmit to see the last 48 hours, and Bugzilla to see what’s currently happening.

Wiki updates

There’s also been lots of work happening on the Wiki, with updates and additions; check out the Recent Changes page, where you can also subscribe to the Atom feed to receive email alerts when changes are made.

Posted in events, Mageia, Weekly roundup | 9 Comments