Push Fedora base to v23 to gain package hardening
58 views
Skip to first unread message
Jaxxon
Sep 22, 2015, 10:51:52 AM9/22/15
to qubes-devel
I know you were supposed to move to v22 for the next major Fedora update, but unless
> Fedora 23 includes a number of changes that will improve all of the editions. For example, Fedora 23 makes use of compiler flags to improve security by hardening the binaries against memory corruption vulnerabilities, buffer overflows, and so on. This is a “behind the scenes” change that most users won’t notice through normal use of a Fedora edition, but will help provide additional system security.
Likewise, Fedora 23 has disabled SSL3 and RC4 by default due to known vulnerabilities in the protocols. This means all applications that use GNUTLS and OpenSSL libraries have had the SSL3 protocol and RC4 cipher disabled.
Fedora 23 comes with the latest version of Mono 4. This means a big improvement because we were stuck with an ancient version of Mono (2.10) for too long. All packages within Fedora that are based on Mono have been adjusted and rebuilt, to target the 4.5 version of the .Net framework. Mono 4 does not support solutions targeting v1.0, v2.0 or v3.5 of .Net, but usually they can be easily upgraded to v4.5.
you're already far into v22 development, it seems that v23 would be a much better choice thanks to
all the package hardening they've done.
Likewise, Fedora 23 has disabled SSL3 and RC4 by default due to known vulnerabilities in the protocols. This means all applications that use GNUTLS and OpenSSL libraries have had the SSL3 protocol and RC4 cipher disabled.
Fedora 23 comes with the latest version of Mono 4. This means a big improvement because we were stuck with an ancient version of Mono (2.10) for too long. All packages within Fedora that are based on Mono have been adjusted and rebuilt, to target the 4.5 version of the .Net framework. Mono 4 does not support solutions targeting v1.0, v2.0 or v3.5 of .Net, but usually they can be easily upgraded to v4.5.
Vít Šesták
Sep 23, 2015, 2:22:20 PM9/23/15
to qubes-devel
Hello,
do you mean template, or dom0?
While it would be cool for dom0, there is very limited attack surface, so I am not sure if there is any considerable benefit of the hardening. Since dom0 is disconnected form the network, SSL/TLS security tuning does not bring any security benefit. Maybe new Mono could bring some benefit (rather unrelated to security), but I am not aware of any Mono application useful in dom0.
For Fedora 22 TemplateVM, I don't think there is a huge work needed, but I might be wrong. (But I don't care much about Fedora-based TemplateVMs.)
Regards,
Vít Šesták 'v6ak'
do you mean template, or dom0?
While it would be cool for dom0, there is very limited attack surface, so I am not sure if there is any considerable benefit of the hardening. Since dom0 is disconnected form the network, SSL/TLS security tuning does not bring any security benefit. Maybe new Mono could bring some benefit (rather unrelated to security), but I am not aware of any Mono application useful in dom0.
For Fedora 22 TemplateVM, I don't think there is a huge work needed, but I might be wrong. (But I don't care much about Fedora-based TemplateVMs.)
Regards,
Vít Šesták 'v6ak'
Marek Marczykowski-Górecki
Sep 23, 2015, 2:41:34 PM9/23/15
to Vít Šesták, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Wed, Sep 23, 2015 at 11:22:19AM -0700, Vít Šesták wrote:
> Hello,
>
> do you mean template, or dom0?
>
> While it would be cool for dom0, there is very limited attack surface, so I
> am not sure if there is any considerable benefit of the hardening. Since
> dom0 is disconnected form the network, SSL/TLS security tuning does not
> bring any security benefit. Maybe new Mono could bring some benefit (rather
> unrelated to security), but I am not aware of any Mono application useful
> in dom0.
>
> For Fedora 22 TemplateVM, I don't think there is a huge work needed, but I
> might be wrong. (But I don't care much about Fedora-based TemplateVMs.)
Fedora 22 abandon yum in favor of dnf, so there are few changes needed.
There is "fc22" branch in my qubes-builder-fedora repository already,
but it isn't tested throughly. We'll work on it after final R3.0
release.
> Regards,
> Vít Šesták 'v6ak'
>
> On Tuesday, September 22, 2015 at 4:51:52 PM UTC+2, Jaxxon wrote:
> >
> > I know you were supposed to move to v22 for the next major Fedora update,
> > but unless
> > you're already far into v22 development, it seems that v23 would be a much
> > better choice thanks to
> > all the package hardening they've done.
> >
> >
> >
> >
> >
> > *> Fedora 23 includes a number of changes that will improve all of the
> > <https://fedoraproject.org/wiki/Changes/Mono_4>. This means a big
> >
> > http://fedoramagazine.org/fedora-23-beta-released/
> >
> > https://fedoraproject.org/wiki/Changes/Harden_All_Packages
> >
>
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJWAvJWAAoJENuP0xzK19csDLIH/3gDKj8FGr4QXd7J5NUfoNzZ
jmk4DpKUrPn/1L6V8PzQhjEOLQioewRVlmXnrBJZKR4hevJK+pluLus88inrKeWT
+tBo1afHKGHUiEyr+nInEjhYBhp74hjOWyAtXjXHMK7VRP701xXcfRbkyZgAHBR0
i0K1YewIBLe4KlxaQyUeUJA5cZMMjeXbR7JMDXNOiRqWpHAcHID9qciYFbaS6vCO
Gwqsx88//10cGulFOhyqtDSfJWOy0V1IN/Z0PE0LF9Oq8O1XVkiZhX5pGg22wGFS
fgbWHxbLtARHFVo/ZjJ8Yp4k7ZRQj60MrHFMGAGDZsGebrg0p96t/LBwnOJEdPs=
=amWI
-----END PGP SIGNATURE-----
Hash: SHA256
On Wed, Sep 23, 2015 at 11:22:19AM -0700, Vít Šesták wrote:
> Hello,
>
> do you mean template, or dom0?
>
> While it would be cool for dom0, there is very limited attack surface, so I
> am not sure if there is any considerable benefit of the hardening. Since
> dom0 is disconnected form the network, SSL/TLS security tuning does not
> bring any security benefit. Maybe new Mono could bring some benefit (rather
> unrelated to security), but I am not aware of any Mono application useful
> in dom0.
>
> For Fedora 22 TemplateVM, I don't think there is a huge work needed, but I
> might be wrong. (But I don't care much about Fedora-based TemplateVMs.)
There is "fc22" branch in my qubes-builder-fedora repository already,
but it isn't tested throughly. We'll work on it after final R3.0
release.
> Regards,
> Vít Šesták 'v6ak'
>
> On Tuesday, September 22, 2015 at 4:51:52 PM UTC+2, Jaxxon wrote:
> >
> > I know you were supposed to move to v22 for the next major Fedora update,
> > but unless
> > you're already far into v22 development, it seems that v23 would be a much
> > better choice thanks to
> > all the package hardening they've done.
> >
> >
> >
> >
> >
> > editions. For example, Fedora 23 makes use of compiler flags to improve
> > security by hardening
> > <https://fedoraproject.org/wiki/Changes/Harden_All_Packages> the binaries
> > security by hardening
> > against memory corruption vulnerabilities, buffer overflows, and so on.
> > This is a “behind the scenes” change that most users won’t notice through
> > normal use of a Fedora edition, but will help provide additional system
> > security.Likewise, Fedora 23 has disabled SSL3 and RC4 by default due to
> > This is a “behind the scenes” change that most users won’t notice through
> > normal use of a Fedora edition, but will help provide additional system
> > known vulnerabilities in the protocols. This means all applications that
> > use GNUTLS and OpenSSL libraries have had the SSL3 protocol and RC4 cipher
> > disabled.Fedora 23 comes with the latest version of Mono 4
> > use GNUTLS and OpenSSL libraries have had the SSL3 protocol and RC4 cipher
> > <https://fedoraproject.org/wiki/Changes/Mono_4>. This means a big
> > improvement because we were stuck with an ancient version of Mono (2.10)
> > for too long. All packages within Fedora that are based on Mono have been
> > adjusted and rebuilt, to target the 4.5 version of the .Net framework. Mono
> > 4 does not support solutions targeting v1.0, v2.0 or v3.5 of .Net, but
> > usually they can be easily upgraded to v4.5.*
> > for too long. All packages within Fedora that are based on Mono have been
> > adjusted and rebuilt, to target the 4.5 version of the .Net framework. Mono
> > 4 does not support solutions targeting v1.0, v2.0 or v3.5 of .Net, but
> >
> > http://fedoramagazine.org/fedora-23-beta-released/
> >
> > https://fedoraproject.org/wiki/Changes/Harden_All_Packages
> >
>
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJWAvJWAAoJENuP0xzK19csDLIH/3gDKj8FGr4QXd7J5NUfoNzZ
jmk4DpKUrPn/1L6V8PzQhjEOLQioewRVlmXnrBJZKR4hevJK+pluLus88inrKeWT
+tBo1afHKGHUiEyr+nInEjhYBhp74hjOWyAtXjXHMK7VRP701xXcfRbkyZgAHBR0
i0K1YewIBLe4KlxaQyUeUJA5cZMMjeXbR7JMDXNOiRqWpHAcHID9qciYFbaS6vCO
Gwqsx88//10cGulFOhyqtDSfJWOy0V1IN/Z0PE0LF9Oq8O1XVkiZhX5pGg22wGFS
fgbWHxbLtARHFVo/ZjJ8Yp4k7ZRQj60MrHFMGAGDZsGebrg0p96t/LBwnOJEdPs=
=amWI
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages