Qubes 3.2 dnsmasq update?
69 views
Skip to first unread message
Ron Hunter-Duvar
Oct 4, 2017, 8:14:16 PM10/4/17
to qubes-users
Hi,
Saw the news earlier today about the major dnsmasq vulnerabilities
(remote code execution), and already received the update for the
debian-8 template, but not for the fedora-23 template or dom0.
Anyone know of an ETA for this?
Thanks,
Ron
Saw the news earlier today about the major dnsmasq vulnerabilities
(remote code execution), and already received the update for the
debian-8 template, but not for the fedora-23 template or dom0.
Anyone know of an ETA for this?
Thanks,
Ron
Ilpo Järvinen
Oct 5, 2017, 3:52:33 AM10/5/17
to Ron Hunter-Duvar, qubes-users
FC23 has been EOL'ed for long time, you should upgrade your template to
FC25 or later (as FC24 likewise, is EOL'ed). The easiest alternative is to
install fedora-25 template that is nowadays included to qubes repositories
(IIRC). Then change your AppVMs having fedora-23 as their template to use
fedora-25 template.
--
i.
Ron Hunter-Duvar
Oct 5, 2017, 2:41:38 PM10/5/17
to qubes...@googlegroups.com
On 10/05/2017 01:52 AM, Ilpo Järvinen wrote:
> On Wed, 4 Oct 2017, Ron Hunter-Duvar wrote:
>
>> Saw the news earlier today about the major dnsmasq vulnerabilities (remote
>> code execution), and already received the update for the debian-8 template,
>> but not for the fedora-23 template or dom0.
>>
>> Anyone know of an ETA for this?
> dom0 does not have network connectivity.
Yeah, I wondered about that. Any reason for it to even have dnsmasq
> On Wed, 4 Oct 2017, Ron Hunter-Duvar wrote:
>
>> Saw the news earlier today about the major dnsmasq vulnerabilities (remote
>> code execution), and already received the update for the debian-8 template,
>> but not for the fedora-23 template or dom0.
>>
>> Anyone know of an ETA for this?
> dom0 does not have network connectivity.
installed? Because it does.
> FC23 has been EOL'ed for long time, you should upgrade your template to
> FC25 or later (as FC24 likewise, is EOL'ed). The easiest alternative is to
> install fedora-25 template that is nowadays included to qubes repositories
> (IIRC). Then change your AppVMs having fedora-23 as their template to use
> fedora-25 template.
>
EOL in 2015?
I use debian-8 for all my appvms. I changed the default before I created
any of them.
But I still need it for my servicevms. Especially since they're the ones
exposed to the internet (although still behind a separate firewall, but
that's potentially affected too).
Haven't had time to look into how to setup a new template and convert
the servicevms. But for this, if there's no fix coming, I guess I'll
have to deal with it.
Thanks,
Ron
Unman
Oct 6, 2017, 7:05:51 PM10/6/17
to Ron Hunter-Duvar, qubes...@googlegroups.com
It's still used in dom0 because there should be little call to upgrade
dom0 - see the explanation here:
www.qubes-os.org/doc/software-update-dom0/
The install disk still contains fed23 templates and you're expected to
update as soon as you have installed.
To install a new template all you have to do is :
sudo qubes-dom0-update qubes-template-fedora-25
This will install the template and you can then just switch your
serviceVMs - either using Qubes Manager, or by:
'qvm-prefs <qube> -s template <template>'.
Of course, there's no reason why you shouldnt use Debian for all your
qubes, and ditch Fedora template altogether.
unman
Ron Hunter-Duvar
Oct 6, 2017, 11:04:40 PM10/6/17
to qubes...@googlegroups.com, Unman
On October 6, 2017 5:05:49 PM MDT, Unman <un...@thirdeyesecurity.org> wrote:
>On Thu, Oct 05, 2017 at 12:41:32PM -0600, Ron Hunter-Duvar wrote:
>> On 10/05/2017 01:52 AM, Ilpo Järvinen wrote:
>> > On Wed, 4 Oct 2017, Ron Hunter-Duvar wrote:
...
>On Thu, Oct 05, 2017 at 12:41:32PM -0600, Ron Hunter-Duvar wrote:
>> On 10/05/2017 01:52 AM, Ilpo Järvinen wrote:
>> > On Wed, 4 Oct 2017, Ron Hunter-Duvar wrote:
>This will install the template and you can then just switch your
>serviceVMs - either using Qubes Manager, or by:
>'qvm-prefs <qube> -s template <template>'.
>
>Of course, there's no reason why you shouldnt use Debian for all your
>qubes, and ditch Fedora template altogether.
>unman
Thanks,
Ron
Ron Hunter-Duvar
Oct 7, 2017, 3:19:07 PM10/7/17
to qubes...@googlegroups.com, Unman
On 10/06/2017 09:04 PM, Ron Hunter-Duvar wrote:
> On October 6, 2017 5:05:49 PM MDT, Unman <un...@thirdeyesecurity.org> wrote:
>> On Thu, Oct 05, 2017 at 12:41:32PM -0600, Ron Hunter-Duvar wrote:
>> ...
> On October 6, 2017 5:05:49 PM MDT, Unman <un...@thirdeyesecurity.org> wrote:
>> On Thu, Oct 05, 2017 at 12:41:32PM -0600, Ron Hunter-Duvar wrote:
>> The install disk still contains fed23 templates and you're expected to
>> update as soon as you have installed.
>>
>> To install a new template all you have to do is :
>> sudo qubes-dom0-update qubes-template-fedora-25
> Thanks for the tip. I don't remember seeing it in the getting started material I read. Doing it now.
>
>
>> This will install the template and you can then just switch your
>> serviceVMs - either using Qubes Manager, or by:
>> 'qvm-prefs <qube> -s template <template>'.
>>
>> ...
>> update as soon as you have installed.
>>
>> To install a new template all you have to do is :
>> sudo qubes-dom0-update qubes-template-fedora-25
> Thanks for the tip. I don't remember seeing it in the getting started material I read. Doing it now.
>
>
>> This will install the template and you can then just switch your
>> serviceVMs - either using Qubes Manager, or by:
>> 'qvm-prefs <qube> -s template <template>'.
>>
Well, I did all this, and confirmed that the sys-* servicevms are all
using Fedora 25, but it still has dnsmasq version 2.76. According to
US-CERT, 2.78 is needed to get the vulnerability fixes. Which concerns
me, given the length of time that the exploit code has been public.
Surprises me too, since Debian had it out in a matter of hours.
However, it's not running in any of these, nor in dom0. Should I just
uninstall it?
Thanks,
Ron
Reg Tiangha
Oct 8, 2017, 12:44:12 AM10/8/17
to qubes...@googlegroups.com
On 2017-10-07 1:19 PM, Ron Hunter-Duvar wrote:
> Well, I did all this, and confirmed that the sys-* servicevms are all
> using Fedora 25, but it still has dnsmasq version 2.76. According to
> US-CERT, 2.78 is needed to get the vulnerability fixes. Which concerns
> me, given the length of time that the exploit code has been public.
> Surprises me too, since Debian had it out in a matter of hours.
>
> However, it's not running in any of these, nor in dom0. Should I just
> uninstall it?
>
> Thanks,
> Ron
>
It's weird, but it seems like every distro *but* Fedora has released an
> Well, I did all this, and confirmed that the sys-* servicevms are all
> using Fedora 25, but it still has dnsmasq version 2.76. According to
> US-CERT, 2.78 is needed to get the vulnerability fixes. Which concerns
> me, given the length of time that the exploit code has been public.
> Surprises me too, since Debian had it out in a matter of hours.
>
> However, it's not running in any of these, nor in dom0. Should I just
> uninstall it?
>
> Thanks,
> Ron
>
updated version or version with a backported fix. Even Red Hat
Enterprise has done it. I don't know what the hold up is, but it'll be a
package with a backported fix and currently it's set to be 2.76.4 (or
greater if more bugs are found).
https://bodhi.fedoraproject.org/updates/FEDORA-2017-515264ae24
Ron Hunter-Duvar
Oct 8, 2017, 9:27:58 AM10/8/17
to qubes...@googlegroups.com, Reg Tiangha
Tried fedora several times in the past, and always went to something else instead.
Ron
Ron Hunter-Duvar
Oct 8, 2017, 10:04:27 PM10/8/17
to qubes...@googlegroups.com, Reg Tiangha
On 10/08/2017 07:27 AM, Ron Hunter-Duvar wrote:
> On October 7, 2017 10:43:55 PM MDT, Reg Tiangha <r...@reginaldtiangha.com> wrote:
>> On 2017-10-07 1:19 PM, Ron Hunter-Duvar wrote:
>>
>> ...
> On October 7, 2017 10:43:55 PM MDT, Reg Tiangha <r...@reginaldtiangha.com> wrote:
>> On 2017-10-07 1:19 PM, Ron Hunter-Duvar wrote:
>>
>> It's weird, but it seems like every distro *but* Fedora has released an
>> updated version or version with a backported fix. Even Red Hat
>> Enterprise has done it. I don't know what the hold up is, but it'll be
>> a
>> package with a backported fix and currently it's set to be 2.76.4 (or
>> greater if more bugs are found).
>>
>> https://bodhi.fedoraproject.org/updates/FEDORA-2017-515264ae24
> One of the reasons I like Debian so much is the priority they put on security. That, and stability. You may not get all the latest shiny stuff, at least not in stable, but you know it will be rock solid.
>
> Tried fedora several times in the past, and always went to something else instead.
>
> Ron
Not really the place for this probably (dev list might be better), but I
>> updated version or version with a backported fix. Even Red Hat
>> Enterprise has done it. I don't know what the hold up is, but it'll be
>> a
>> package with a backported fix and currently it's set to be 2.76.4 (or
>> greater if more bugs are found).
>>
>> https://bodhi.fedoraproject.org/updates/FEDORA-2017-515264ae24
> One of the reasons I like Debian so much is the priority they put on security. That, and stability. You may not get all the latest shiny stuff, at least not in stable, but you know it will be rock solid.
>
> Tried fedora several times in the past, and always went to something else instead.
>
> Ron
wonder if the devs ever considered basing dom0 on Alpine Linux. Running
a lightweight and secure Xen dom0 is one of its intended uses
(https://wiki.alpinelinux.org/wiki/Xen_Dom0).
Hmm, I wonder what it would take to do a variant of Qubes with Alpine
running dom0 and Debian for everything else.
Ron
Marek Marczykowski-Górecki
Oct 9, 2017, 6:46:05 PM10/9/17
to Ron Hunter-Duvar, qubes...@googlegroups.com, Reg Tiangha
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Having lightweight dom0 is on the roadmap for Qubes 4.1 - just
after moving GUI out of dom0, there will be much less stuff there. We
still haven't decided whether we'll move to Debian or Alpine there, but
also we may postpone that switch for later release - depending on how
much time will take GUI VM.
> Hmm, I wonder what it would take to do a variant of Qubes with Alpine
> running dom0 and Debian for everything else.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJZ2t28AAoJENuP0xzK19csinIH/2SGPtH7pdonwc1rDuFHcsh2
nnrEev//ALVQOJ1pKrtVNlxJk96ogbqFU+So0RkjHKkLbYJQEv34WN3RUYg7GKg2
4c/ZPH3hTXa4IOTgA8Wr9elZjPn81meFnEoWsaqfJ2oUWy97Du+9e5SReYzQlwVQ
dZMmYw5sUZNIJDc3PdUnEcgPCppC75obJ/S2Py/ERbtSjgdPsgkcMIcd7qEnI+am
Zxcg01UlXBEEX8XLxG3QyuXrZ07QTpIuZyQHNx6UXNioq7dLz4+vBmfzp3sNlgPQ
yFisbjPKUy2eAc0/tE6mOCiDZLbFqGOwFuEmT0ky1dBdB4lDTsToH1Ee2Ko2Goo=
=Gs2j
-----END PGP SIGNATURE-----
Hash: SHA256
after moving GUI out of dom0, there will be much less stuff there. We
still haven't decided whether we'll move to Debian or Alpine there, but
also we may postpone that switch for later release - depending on how
much time will take GUI VM.
> Hmm, I wonder what it would take to do a variant of Qubes with Alpine
> running dom0 and Debian for everything else.
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJZ2t28AAoJENuP0xzK19csinIH/2SGPtH7pdonwc1rDuFHcsh2
nnrEev//ALVQOJ1pKrtVNlxJk96ogbqFU+So0RkjHKkLbYJQEv34WN3RUYg7GKg2
4c/ZPH3hTXa4IOTgA8Wr9elZjPn81meFnEoWsaqfJ2oUWy97Du+9e5SReYzQlwVQ
dZMmYw5sUZNIJDc3PdUnEcgPCppC75obJ/S2Py/ERbtSjgdPsgkcMIcd7qEnI+am
Zxcg01UlXBEEX8XLxG3QyuXrZ07QTpIuZyQHNx6UXNioq7dLz4+vBmfzp3sNlgPQ
yFisbjPKUy2eAc0/tE6mOCiDZLbFqGOwFuEmT0ky1dBdB4lDTsToH1Ee2Ko2Goo=
=Gs2j
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages