Web services shut down preventively

Posted on April 5, 2017 by Rémi Verschelde

Our sysadmins decided to preventively shut down most of our web services which were still running on end-of-life Mageia versions, as their potential vulnerability to remote attacks was publicised in third party communities.

The migration of those services to Mageia 5 servers was planned but delayed due to a lack of sysadmin time to work on it. The unexpected publicity that it received obviously made this topic a high priority one, our infrastructure being exposed as an easy target. The sysadmins therefore decided to shut down the services to be able to work on the migration without further risks.

Please note that our buildsystems for packages and ISO images are running the latest stable release, and therefore Mageia users need (as far as we know at this stage) not be concerned. The potential risks should be confined to web services of the mageia.org domain – we are nevertheless auditing all servers for traces of intrusion which could have been facilitated by the outdated infrastructure.

We are sorry for the disagreement and this security negligence, and will keep you posted with our progress on this issue and the verification of the services.

Current status:

  • Homepage (www): online
  • Blog: online
  • Identity: online
  • Bugzilla (bugs): online
  • Mailing list (ml): online
  • Wiki: online
  • Forums: online
  • Mirrors index and MIRRORLIST (mirrors): online
  • Git / Svn: online
  • Gitweb / Svnweb: online
  • Buildsystem (pkgsubmit): online
  • Mageia App DB (madb): online

Edit Apr 5, 2017 @ 17:45: Added more details about services being down and the security risks.

Edit Apr 5, 2017 @ 20:45: Instructions to add a specific mirror manually for MIRRORLIST users.

Edit Apr 6, 2017 @ 8:00: Web services had been mistakenly put back online automatically during the night, they are now back offline as necessary.

Edit Apr 8, 2017 @ 1:00: Bugzilla and MIRRORLIST are functional again. Bugzilla was also updated to the latest 5.0.3+ upstream version.

Edit Apr 9, 2017 @ 0:15: Identity is back online.

Edit Apr 20, 2017 @ 15:00: Wiki is back online. Gitweb and Svnweb were also restored in the past week, and the mailing list software will be back soon.

Edit May 26, 2017 @ 21:00: As of now all services are back online! Thanks to our sysadmins for their precious time! 🙂

Posted in Mageia, security, sysadmin | 35 Comments

Weekly roundup 2017 – week 13

Posted on March 31, 2017 by Donald Stewart

Cauldron

The big Cauldron news is that ISO testing for Mageia 6 RC is well under way, new images were generated that will hopefully fix the EFI implementation and some grub config issues. Gnome 3.24 will be available on the upcoming ISOs as pre-testing has not shown any issues. We’re also hoping to have most blocker bugs fixed before the RC release, the list is getting nice and short, so hopefully that wont take long. If you want to get involved with pre-release ISO testing, the QA team always has room for more hardware and hands.

Big updates include:

  • libbluray 1.0.0 – there might be some broken deps with this while the needed packages are rebuilt
  • kernel 4.9.19
  • webkit2 2.16.0
  • firefox 52.0.2
  • urpmi 8.106-2 – this increases the transaction size from 8 to 50, it will help with upgrades from Mageia 5 to 6
  • chrome-gnome-shell – this should add some nice functionality to Gnome

The other big talking point aside from the RC release in the Council Meeting was the inclusion of the new Manatools for system configuration on the ISOs. The ncurses versions will be added, along with dnfdragora, but the integration of the graphical front ends was pushed until after Mageia 6 to give proper testing time.

Mageia 5

R-base was patched against CVE 2016-8714, the other big update is to the kernel, 4.4.59 which will fix a vulnerability found in the pwn2own contest.

Community

We will be at the Libre Software Days in Lyon this weekend, so if you are in the area drop by and meet some of our contributors or catch up on the other projects on show.

We have been using Mypads from Framasoft a lot for blog posts and announcements, this is being written on one in fact. To that end, we have made a ‎€250 donation, full blog about how we use Mypads and Framasoft can be read here.

Posted in bugsquad, community, Mageia, QA, release, users, Weekly roundup | 5 Comments

Donation to Framasoft

Posted on March 29, 2017 by Donald Stewart

When we at Mageia write blog posts and other announcements, we use a collaborative editing tool called Etherpad to draft the text.  In the past, the links to these draft documents were accessible from our mailing list archives and wide open for anyone to access.  Fortunately, we found a better way to do this thanks to Framasoft. Framasoft provides the excellent MyPads platform, which provides a folder to store multiple Etherpads with access control, title editing, and sorting by date and name. Having a single point of access for our draft documents has been a huge help to getting blog posts written and proofread, and has provided a way to keep track of what we have coming. In addition to this excellent service, Framasoft provides other services such as spreadsheets, mindmapping, drawing, and undoubtedly some other tools that we will find useful in the future. A full list can be seen here. While Framasoft does host and offers free usage of these services, it should be noted that their main aim is to develop this platform for self-hosting, not to offer a hosted service.

It is to this end that we would like to announce a donation of 250 to Framasoft. It has always been one of the goals of Mageia to not only develop an excellent high-quality operating system and community surrounding the project, but also to help with the general development and support of Free and Open Source software in the wider community. It is excellent to be able to use and support an association like Framasoft. They offer fantastic services, and supporting them fits with the goals that Mageia has laid out since the beginning. You can read more about the Framasoft association here.

As a further note to this, we would like to look into hosting the Framasoft software on our own infrastructure in the future. Unfortunately, with the infrastructure administration resources we currently have available, our current priorities are the release of Mageia 6 and general upkeep. Further development of our infrastructure will have to take place in the future as time and resources allow. So, in the meantime, we hope that this donation will help to cover our usage of Framasoft’s services.

Posted in Collaboration, community, Mageia, treasurer | 5 Comments

Mageia at JDLL 2017 in Lyon on the 1st and 2nd of April

Posted on March 28, 2017 by Samuel Verschelde

JDLL banner

A quick late notice that a few contributors will have a stand at the yearly Libre Software Days in Lyon (“Journées du Logiciel Libre”, in French), as they do every year, next weekend (1st and 2nd of April).

As always, it’s a nice occasion to discuss and get to know others in the Mageia community (which includes every user, of course) as well as see what other communities are working on, so if you happen to be able to come, you are welcome!

The event’s program (in french) : http://www.jdll.org/programme/

Posted in community, events, Mageia, users | 5 Comments

Weekly Roundup – 2017, week 12

Posted on March 24, 2017 by Donald Stewart

Another week has passed and there have been many changes with Cauldron as well as continued testing on RC ISOs for Mageia 6. Mageia 5 has also received some important updates.

Cauldron

As we are hoping to release the release candidate for Mageia 6 soon, the focus on development in Cauldron is switching more and more away from new releases and features to focus on bug fixes and getting the packaged software into the best state for release. That being said, there was a major update to Gnome 3.24. This is currently in updates_testing to check was major issues and regressions before being pushing to release if everything is ok.

Another big update was to move to ICU 58.2, which is a requirement for packaging Firefox 52 ESR. The rebuilds went relatively well in core/updates_testing, but after the rebuilt packages were moved to core/release, some issues appeared with Cauldron. Ironically, all Mozilla software (Firefox, Thunderbird, Seamonkey/Iceape) crashed with this new version, forcing us to rebuild them against their bundled ICU code base. We could finally fix the crashes with the system library by adding Mozilla patches to ICU 58.2, which should hopefully allow us to package all Mozilla software against the system ICU.

There were updates to LibreOffice (5.3.2 RC1) which will be updated to final before Mageia 6 is released. The libinput RC update from last week was also updated to final. Samba was updated to 4.5.7, fixing this Mageia bug and a security issue where a symlink race could be used to gain access to parts of the filesystem not shared, see this CVE for further details. DNF was updated to 2.1.1, Mesa to 17.0.2 and flash player plugin was also updated to 25.0.0.127. Firefox/Thunderbird are currently on versions 45.8.0 ESR, with the intention to update them to the 52 ESR branch for the final release.

ISO testing for Mageia 6 RC started last week, and a new round of ISOs was built yesterday. Testing so far is looking good.

Mageia 5

There have been lots of updates submitted for validation, here is the full list, the highlights of which are:

  • Flash – 25.0.0.127 – multiple CVE fixes
  • Kernel 4.4.55
  • qbittorrent 3.3.11
  • Firefox/Thunderbird 45.8.0, this closes MGASA 2017-0081 and 0082 respectively.

Community

The introduction of packager groups for various programming languages was discussed last week, and acted upon yesterday. As a first step, groups were created for thePerl, Python, Java and PHP stacks. If you’d like to help with the debugging and packaging of those stacks, don’t hesitate to join them. More information is available here.

Posted in community, Mageia, QA, release, Weekly roundup | 11 Comments