Discussion:
Running old version
(too old to reply)
Christopher Myers
2014-09-25 13:48:07 UTC
Permalink
Raw Message
I have a quick question for folks who run old versions of oS. I know that there are a lot of folks (myself included) who are running older versions of oS, because they don't really have a reason to upgrade - everything is working properly and has been configured over the course of many months to run smoothly and exactly the way we want/need it to.

My question is - how do other folks handle security vulnerabilities like this current bash vulnerability? Since oS isn't releasing patches for 11.4, 12.2, etc. anymore, how do you get around that? Just leave your machines vulnerable? Or compile your own patches?

Chris
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
David T-G
2014-09-25 14:20:40 UTC
Permalink
Raw Message
Chris, et al --

...and then Christopher Myers said...
%
% I have a quick question for folks who run old versions of oS. I know
...
% of many months to run smoothly and exactly the way we want/need it to.

I'm stuck there, but because I chose SuSE for my Plesk build but Plesk
hasn't yet come out with a modern version. I'm not looking forward to
it, but I think I'm going to have to switch to their RH variant because
it's current. Bummer, but I'm getting *more* busy in life, not less.


%
% My question is - how do other folks handle security vulnerabilities
% like this current bash vulnerability? Since oS isn't releasing patches
% for 11.4, 12.2, etc. anymore, how do you get around that? Just leave
% your machines vulnerable? Or compile your own patches?

So far it's been "compile my own", and I do *not* have the time for this
stuff :-( I'd love to stick with SuSE, but I need something better!


%
% Chris


HAND

:-D
--
David T-G
See http://justpickone.org/davidtg/email/
See http://justpickone.org/davidtg/tofu.txt
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
jdd
2014-09-25 15:36:30 UTC
Permalink
Raw Message
Post by Christopher Myers
My question is - how do other folks handle security vulnerabilities like this current bash vulnerability? Since oS isn't releasing patches for 11.4, 12.2, etc. anymore, how do you get around that? Just leave your machines vulnerable? Or compile your own patches?
Chris
for some years, I had to run an old server with an old debian install, I
couldn't update because the config was awfull, I say I managed it
because the pevious manager left :-(

It have well run for 3 years like this before I could find time to
rebuild the hole system (including hardware), but I monitored it pretty
closely and never found any suspect activity (in fact nearly no activity
at all :-)

jdd
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Felix Miata
2014-09-25 18:52:46 UTC
Permalink
Raw Message
Post by Christopher Myers
how do other folks handle security vulnerabilities like
this current bash vulnerability? Since oS isn't releasing patches for
11.4, 12.2, etc. anymore, how do you get around that? Just leave your
machines vulnerable? Or compile your own patches?
11.4 is Evergreen, which already has an update available for the more
troubling initial bash problem.
--
"The wise are known for their understanding, and pleasant
words are persuasive." Proverbs 16:21 (New Living Translation)

Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!

Felix Miata *** http://fm.no-ip.com/
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Greg Freemyer
2014-09-25 21:37:04 UTC
Permalink
Raw Message
On Thu, Sep 25, 2014 at 9:48 AM, Christopher Myers
Post by Christopher Myers
I have a quick question for folks who run old versions of oS. I know that there are a lot of folks (myself included) who are running older versions of oS, because they don't really have a reason to upgrade - everything is working properly and has been configured over the course of many months to run smoothly and exactly the way we want/need it to.
My question is - how do other folks handle security vulnerabilities like this current bash vulnerability? Since oS isn't releasing patches for 11.4, 12.2, etc. anymore, how do you get around that? Just leave your machines vulnerable? Or compile your own patches?
Chris
For bash / shellshock, why do you think you're vulnerable?

AIUI, it's not an escalation vulnerability, it just allows apps to get
out of a sandbox.

Thus if you have a webserver on your machine, it might let a webclient
get out of the apache setup and into machine proper. They would still
only have the privileges of Apache (or whatever user you run your
webserver as.)

Are you running any services on those old machines that serve the Internet?

If the only service is ssh, then the user has to log into ssh before
trying anything. If you let those ssh users have an unlimited shell
already, I don't think the vulnerability will give them any new way to
penetrate your machine.

Greg
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Anton Aylward
2014-09-25 22:06:40 UTC
Permalink
Raw Message
Post by Greg Freemyer
On Thu, Sep 25, 2014 at 9:48 AM, Christopher Myers
Post by Christopher Myers
I have a quick question for folks who run old versions of oS. I know that there are a lot of folks (myself included) who are running older versions of oS, because they don't really have a reason to upgrade - everything is working properly and has been configured over the course of many months to run smoothly and exactly the way we want/need it to.
My question is - how do other folks handle security vulnerabilities like this current bash vulnerability? Since oS isn't releasing patches for 11.4, 12.2, etc. anymore, how do you get around that? Just leave your machines vulnerable? Or compile your own patches?
Chris
For bash / shellshock, why do you think you're vulnerable?
AIUI, it's not an escalation vulnerability, it just allows apps to get
out of a sandbox.
Perhaps into another, enclosing sandbox.
Post by Greg Freemyer
Thus if you have a webserver on your machine, it might let a webclient
get out of the apache setup and into machine proper. They would still
only have the privileges of Apache (or whatever user you run your
webserver as.)
And if you run the Apache server chroot'd then even that is just in
another sandbox. If you've taken care with the setup there is going to
be a very limited set of executables and libraries available.

The main problem with chroot'ing is that it does little to nothing for
the network side of things. If your chroot'd space has a PHP or Perl
executable to support the CGI then the hacker could use those make a
network move.

Of course the server could be running on a very stripped down virtual
host with a virtual IP address and very aggressive fire-walling.

But the major problem is the database. Most web based applications are
backed by a database. Perhaps it runs on another machine and access via
network connection. After the hack it can still be accessed.

But please do run the server chroot'd or in a FM as a baseline measure.
It may not be absolute security but it is another layer. There's no
point in making things easy for the hackers.
Post by Greg Freemyer
Are you running any services on those old machines that serve the Internet?
If the only service is ssh, then the user has to log into ssh before
trying anything. If you let those ssh users have an unlimited shell
already, I don't think the vulnerability will give them any new way to
penetrate your machine.
Indeed. SSH penetration is another, quite different, can of worms.
--
A: Yes.
Post by Greg Freemyer
Q: Are you sure?
Post by Christopher Myers
A: Because it reverses the logical flow of conversation.
Q: Why is top posting frowned upon?
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Christopher Myers
2014-09-26 13:41:05 UTC
Permalink
Raw Message
All true, and good points :) I wasn't thinking so much specifically regarding this particular bash bug, but the broader issue of patches in general (heartbleed, et al.)

I'd considered going with 11.4 evergreen when I did the server build, but at the time couldn't get it to work on my box for whatever reason; it would make it about halfway through booting off of the media (dvd|network|flash all the same) and then the box would totally freeze regardless of what fixes I attempted from Google, what hardware was/wasn't installed, etc., so I had to do 12.2 (which worked fine.) I've done a ton of customization to the box and have it running very sweetly now, and don't have a compelling reason to upgrade it to the new evergreen.

It is mostly secured away from the nastier parts of the internet, so most patches aren't really necessary on it, but I was just curious what others were doing when they were in situations similar to mine.

Chris
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Wolfgang Rosenauer
2014-09-26 13:48:56 UTC
Permalink
Raw Message
Post by Christopher Myers
All true, and good points :) I wasn't thinking so much specifically regarding this particular bash bug, but the broader issue of patches in general (heartbleed, et al.)
I'd considered going with 11.4 evergreen when I did the server build, but at the time couldn't get it to work on my box for whatever reason; it would make it about halfway through booting off of the media (dvd|network|flash all the same) and then the box would totally freeze regardless of what fixes I attempted from Google, what hardware was/wasn't installed, etc., so I had to do 12.2 (which worked fine.) I've done a ton of customization to the box and have it running very sweetly now, and don't have a compelling reason to upgrade it to the new evergreen.
It is mostly secured away from the nastier parts of the internet, so most patches aren't really necessary on it, but I was just curious what others were doing when they were in situations similar to mine.
Honestly?
I would build the required patches in OBS for myself. I started that
back in 11.1 and let other's get it as well and ooops, it was called
Evergreen.

But actually. Not sure what the nastier parts of the Internet are. So it
is a case by case decision. If you cannot fix it yourself and cannot
make sure to avoid the possibility in the first place you are in trouble
and really should update. At some point you'll have the pain anyway.


Wolfgang
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Wolfgang Rosenauer
2014-09-26 15:36:16 UTC
Permalink
Raw Message
Hi,

time to answer finally.
So as you probably know I'm the "founder" of Evergreen just in case.
If a new LTS release with a maintenance period of 5 release's + 6
Month's was produced with a new version released every 4th release to
provide a 1 release + 6 Month stabilizing testing and migration period
overlap would you guys be more inclined to upgrade? It would mean
upgrading around every 4.5 years.
[...]
More importantly is anyone interested in performing some of the work to
make it because it would be a all community release?
Your ideas are quite ok. I actually always would liked to have an LTS
version maintained for say 5 years free of charge.
I discussed this years ago as well but people like to discuss with no
action being taken. That's why I just turned it around and started
Evergreen for 11.1 to see what can be done.

After 11.1, 11.2 and 11.4 I can tell you the following:
- no, it's not that much effort to continue maintenance up to 3 years
and probably a bit more
- it'll get hard starting from 3 years if you cannot do for example
service packs to upgrade parts which cannot be maintained anymore
- service packs are a big beast. Not sure if the community can or want
to help enough to get that tested and shipped.
- you need more people but they didn't show up during all the time
- we had some contributors for certain packages (don't know the
number but something in the range from 5-10) but almost all
monitoring and responsibility for everything which was not taken
by someone else was on two people (thanks Stefan)
- this was also the reason we had to end 11.4 maintenance after the
announced lifetime. It was getting to exhausting as a spare time
project

I'm totally proud what we achieved because it showed that it's not too
much effort but if you get too few people to help you are screwed.

That is also why the Evergreen plans for now are not going to change
unless I see changes in "resources". That might be more contributors or
also other incentives to increase the motivation of the volunteer ;-)
If we have a better understanding what resources are available we can
talk about what to change in the Evergreen/LTS structure. Discussing it,
and this is what I've learned, doesn't bring us anywhere. There are a
lot of people demanding it but practically almost noone want to invest
anything.

I'll enjoy to have a rest until Evergreen for 13.1 is starting again and
being able to do a few other things instead.


Wolfgang
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Timothy Butterworth
2014-09-26 16:27:28 UTC
Permalink
Raw Message
On Fri, Sep 26, 2014 at 10:36 AM, Wolfgang Rosenauer
Post by Wolfgang Rosenauer
Hi,
time to answer finally.
So as you probably know I'm the "founder" of Evergreen just in case.
If a new LTS release with a maintenance period of 5 release's + 6
Month's was produced with a new version released every 4th release to
provide a 1 release + 6 Month stabilizing testing and migration period
overlap would you guys be more inclined to upgrade? It would mean
upgrading around every 4.5 years.
[...]
More importantly is anyone interested in performing some of the work to
make it because it would be a all community release?
Your ideas are quite ok. I actually always would liked to have an LTS
version maintained for say 5 years free of charge.
I discussed this years ago as well but people like to discuss with no
action being taken. That's why I just turned it around and started
Evergreen for 11.1 to see what can be done.
- no, it's not that much effort to continue maintenance up to 3 years
and probably a bit more
- it'll get hard starting from 3 years if you cannot do for example
service packs to upgrade parts which cannot be maintained anymore
- service packs are a big beast. Not sure if the community can or want
to help enough to get that tested and shipped.
I have been thinking about how we could release service packs or even
updated installers for a while now as well. I have been considering
simply rolling updated installation medium. It would still keep the
same branding version but just include the latest software that was
published through OSS/Update repo. I looked at doing this with SUSE
Studio a while back but did not have time to devote to it at that
point in time. I was thinking of possibly a yearly updated DVD
installer. I do not see the need for other installers for a server
specialized release.
Post by Wolfgang Rosenauer
- you need more people but they didn't show up during all the time
- we had some contributors for certain packages (don't know the
number but something in the range from 5-10) but almost all
monitoring and responsibility for everything which was not taken
by someone else was on two people (thanks Stefan)
- this was also the reason we had to end 11.4 maintenance after the
announced lifetime. It was getting to exhausting as a spare time
project
If the number of releases were cut down to open two active releases
and the packages were cut down to only server target packages this
would essentially change the resource dynamic creating less work of
course.
Post by Wolfgang Rosenauer
I'm totally proud what we achieved because it showed that it's not too
much effort but if you get too few people to help you are screwed.
I agree it would be relatively impossible to maintain particularly if
many packages required back porting with only a small number of
people. Starting out with LTS versions of major OSS projects like
BIND, Apache, etc would help some. Some of The components in 13.1 may
need dropped down like including Firefox to its LTS edition.

If a number of people are actively maintaining software on EOL
versions currently then it would just be a matter of getting to a
initial software version baseline the majority is happy with and
getting them to share what they are already doing anyway. Which would
save work for everyone.

I am sure these were some of The conversations you had initially
discussing Evergreen as well.
Post by Wolfgang Rosenauer
That is also why the Evergreen plans for now are not going to change
unless I see changes in "resources". That might be more contributors or
also other incentives to increase the motivation of the volunteer ;-)
If we have a better understanding what resources are available we can
talk about what to change in the Evergreen/LTS structure. Discussing it,
and this is what I've learned, doesn't bring us anywhere. There are a
lot of people demanding it but practically almost noone want to invest
anything.
I'll enjoy to have a rest until Evergreen for 13.1 is starting again and
being able to do a few other things instead.
What I am think about doing would be different than Evergreen because
it would not include a desktop variant. Evergreen already covers The
desktop well in my opinion and desktops are much easier to clean
install if needed every three years of so.

I personally move my desktops/notebooks/laptops up to each and every
new version usually within the first 3 months of the release but these
are only my personal use systems and I do not have large numbers of
them. In the past it was actually vitally necessary to do this just to
take advantage of the latest drivers. That is less of an issue for me
know as my hardware is older and the newer hardware I do have was
better planned out. Also with more OEM's actively supporting The Linux
Kernel now the latest systems I bought all worked without issue but I
did go with The ASUS+Intel+Atheros hardware combination intentionally.

I'm currently not going to plan on trying to take on The full openSUSE
release with this and include all Desktop targeted applications at
all. I am looking at only core server functionality: NTP, LDAP,
HTTP/S, NFS, NIS, SMTP, FTP, SSH, OwnCloud, as well as possibly UTM
components Snort, Squid, ClamAV etc. I do not really want to include
new moving target stuff but make this much more like a Community
Enterprise Server Release.

If this works out I eventually would not mind working on building a
optional turnkey appliance web interface for it like Zyental offers
http://www.zentyal.org/

I have wanted something like this running on openSUSE for a number of
years now, as I currently have time available for the first time to
actually put serious work into it I think I am going to start by
targeting software parity to Zentyal with openSUSE added components
WebYaST and Machinery Project.

I eventually want to also include a quick turn key for Trouble
Ticket/Request system, CRM, IPAM, ITSM, etc web based services which
could be treated as Installation patterns in Zypper as this would of
course be a Server targeted release.
Post by Wolfgang Rosenauer
Wolfgang
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Loading...