We are happy to announce, that, as in previous years, we will present our amazing distribution at the Chemnitz Linux Days 2018 (Chemnitzer Linux Tage, CLT) on the 10th and 11th of March. This is one of the biggest OpenSource exhibitions in Germany. This year also a very special year, as it’s the 20th anniversary. We are happy to celebrate this anniversary together, as we have been part of Chemnitzer Linux Days many times before.
This year’s slogan is “Everyone starts once” (original: “Jeder fängt mal an”) and we love this slogan, because it fits us in many ways:
- One of the Mageia’s goals is to be easy for beginners to start into the Linux world, yet provide many things experts will want.
- Also becoming part of our community, and starting to contribute to this magical community is very easy
- We also like to think back to those days when we started our community and distribution seven years ago. We started with a lot of passion but also faced some difficulties. We can look back and be proud of what we have achieved in all those years, especially without any company supporting us…
But back to the CLT: as always there are plenty of interesting talks, and a lot of amazing projects are showing their work and contribution to the open source community . Also for the kids there is a lot to discover. If you become interested in Linux and Mageia in particular, or if you are already an old hand in the area of open source, you are very welcome to come around and take a look at the diverse program.
UPDATE 16:30 UTC: BuildSystem is back online.
UPDATE 18:30 UTC: Website, Bugzilla, Forums, Wiki are back online
UPDATE Feb 28 01:15 UTC: Mailing lists are back online (web interface still WIP)
Before we get in to the roundup, here’s a huge thank-you to the Mageians who helped with all the password resets after our security problem reported last week. Everything is mostly sorted now, but please contact the forum or the discuss mailing list if you still need help.
On to the Roundup:
Over the last two weeks, 1282 packages came into updates/testing – the dev team has not been idle! And as you’ll see below, some security updates are still coming through for Mageia 5, but make sure you’re ready for the EOL if you haven’t yet upgraded to Mageia 6.
- ghostscript – Mga 5, Mga6
- advancecomp – Mga6
- freetype2 – Mga6
- mariadb – Mga5
- jackson-databind – Mga6
- postgresql9.4, postgresql9.6 – Mga5, Mga6
- apache-commons-email – Mga6
- glpi, php-zetacomponents-base – Mga6
- kernel, kernel-userspace-headers, kmod-vboxadditions, kmod-virtualbox, kmod-xtables-addons – Mga6
- kernel-linus – Mga6
- kernel-tmb – Mga6
- quagga – Mga6
- irssi – Mga6
- qpdf, cups-filters – Mga6
- mpv – Mga6
- nasm – Mga6
- openbox – Mga6
- hplip – Mga6
- qarte – Mga6
- pure-ftpd – Mga6
- networkmanager – Mga6
As always, you can check for yourself on Mageia Advisories, the Mageia AppDB, PkgSubmit to see the last 48 hours, and Bugzilla to see what’s currently happening.
A user was able to gain access to our LDAP database and has published the email addresses and names, as well as apparent password hashes, of anyone who has signed up to identity.mageia.org. However, the published hashes do not match those on record, and all capitalisation has been removed, so it is not clear that the actual passwords have been compromised. All of the passwords have since been reset as a security precaution. New rules have been added to prevent access to the LDAP server. The sysadmins are investigating how the fields were read, as the configuration should have specifically prevented this.
The passwords stored by the Mageia LDAP server are hashed and salted, meaning that the full decryption of the password, if they have actually been leaked, into a human-usable format would require significant computing power for safe and complex passwords. Despite the leaked data only appearing to be names and email addresses of identity.mageia.org users, we strongly urge users to be cautious if the password used for their Mageia account is used elsewhere, and we recommend changing passwords wherever else it is used.
To regain access to your Mageia account, the reset password link should be sufficient for all users without git access.The reset password link can be obtained by asking for a password reset on https://identity.mageia.org/forgot_password after which you’ll receive a mail with the link.
For privileged users, a sysadmin should be contacted to regain access.
We sincerely apologise for any problems and inconvenience that this might cause.
This update comes to us courtesy of tmb, our kernel magician:
Since we released 4.14.18 yesterday, we now are in pretty good shape with the mitigations, especially on x86_64. We now have bits in place for Spectre v1, v2 and Meltdown.
Of course over the coming weeks/months there will be more follow-up fixes upstream to cover corner cases, missed fixes and improvements for all of this…
And we still need Intel and AMD to release microcodes so hardware vendors can release updated BIOS/EFI firmwares and to the public so we can provide microcode updates in case of vendors not providing new BIOS/EFI firmwares.
Oh, and for those that like to check 🙂 The official way of checking the kernel status is:
grep . /sys/devices/system/cpu/vulnerabilities/*
We still lack meltdown support for 32bit in mga6, but we have now (Feb 9th) merged the upstream suggested patches for it in Cauldron, so a kernel with those patches will land in testing later today along with an update to 4.14.19
It still lacks some performance related bits, but we are getting there.
Many thanks to tmb for taking the time to bring us this update!
Edit: we corrected the grep command due to the helpful comments.