Bug#742109: Acknowledgement (Soft lookup during port scan and IPTables log enabled)
Hello Ben, thanks for the response, but we do not use a serial console or similar. In addition to that we've not adjusted our rule set within the last 2 years and had no issues e.g. using the kernel version 2.6.32+29 (amd64) with the configured LOG action on squeeze. Again, thanks for your support. Mit freundlichen Grüßen / Kind regards, Daniel Gassen CC Security & gCERT / gCERT Coordinator Phone: +49 621 60-45903 Mobile: +49 174 3496548 E-Mail: daniel.gas...@basf.com Postal Address: BASF Business Services GmbH, GSI/ITNB - C010, 67059 Ludwigshafen, Germany BASF - The Chemical Company BASF Business Services GmbH, Registered Office: 67059 Ludwigshafen, Germany Companies' Register: Amtsgericht Ludwigshafen, HRB 3541 Managing Directors: Andreas Biermann, Stefan Beck, Wiebe van der Horst Chairman of the Supervisory Board: Dr. Robert Blackburn www.information-services.basf.com From: Ben Hutchings To: Don Armstrong , daniel.gas...@basf.com Cc: rene.fassben...@basf.com, michael.schu...@basf.com, 742...@bugs.debian.org Date: 28.03.2014 22:12 Subject:Re: Bug#742109: Acknowledgement (Soft lookup during port scan and IPTables log enabled) On Fri, 2014-03-28 at 09:17 -0700, Don Armstrong wrote: > On Fri, 28 Mar 2014, daniel.gas...@basf.com wrote: > > any update on this bug report so far? > > Do you need further information from us? > > This looks awfully like > https://bugzilla.kernel.org/show_bug.cgi?id=6816. > > Presumably, you're writing the LOG requests to something (serial console > or similar) which cannot keep up, and the printk blocks. > > You should probably switch to using -j ULOG and ulogd instead of -j LOG. Yes, logging network events to the console without rate-limiting is a misconfiguration. Combining that with a serial console would be a particularly bad idea. This is because the kernel logs synchronously, a deliberate decision to ensure that all messages prior to a crash are actually recorded. Ben. -- Ben Hutchings Always try to do things in chronological order; it's less confusing that way. [Anhang "signature.asc" gelöscht von Daniel Gassen/BASF-IT-S/BASF]
Bug#742109: Acknowledgement (Soft lookup during port scan and IPTables log enabled)
Dear Debian maintainers, any update on this bug report so far? Do you need further information from us? Mit freundlichen Grüßen / Kind regards, Daniel Gassen CC Security & gCERT / gCERT Coordinator Phone: +49 621 60-45903 Mobile: +49 174 3496548 E-Mail: daniel.gas...@basf.com Postal Address: BASF Business Services GmbH, GSI/ITNB - C010, 67059 Ludwigshafen, Germany BASF - The Chemical Company BASF Business Services GmbH, Registered Office: 67059 Ludwigshafen, Germany Companies' Register: Amtsgericht Ludwigshafen, HRB 3541 Managing Directors: Andreas Biermann, Stefan Beck, Wiebe van der Horst Chairman of the Supervisory Board: Dr. Robert Blackburn www.information-services.basf.com From: ow...@bugs.debian.org (Debian Bug Tracking System) To: daniel.gas...@basf.com Date: 19.03.2014 11:12 Subject:Bug#742109: Acknowledgement (Soft lookup during port scan and IPTables log enabled) Sent by:Debian BTS Thank you for filing a new Bug report with Debian. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): Base Maintainers If you wish to submit further information on this problem, please send it to 742...@bugs.debian.org. Please do not send mail to ow...@bugs.debian.org unless you wish to report a problem with the Bug-tracking system. -- 742109: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742109 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#742109: Soft lookup during port scan and IPTables log enabled
091.245273] [2294091.252093] [] ? do_softirq+0x3c/0x7b [2294091.252096] [] ? _local_bh_enable_ip.isra.11+0x76/0x88 [2294091.252102] [] ? bnx2_fw_sync+0x3a/0xea [bnx2] [2294091.252107] [] ? bnx2_reset_chip+0x1a2/0x32d [bnx2] [2294091.252112] [] ? bnx2_reset_nic.constprop.72+0x1b/0xd7c [bnx2] [2294091.252117] [] ? linkwatch_schedule_work+0x54/0x94 [2294091.252122] [] ? bnx2_netif_stop+0xe7/0x109 [bnx2] [2294091.252127] [] ? bnx2_init_nic+0x12/0x5d [bnx2] [2294091.252132] [] ? bnx2_reset_task+0x3c/0x8b [bnx2] [2294091.252136] [] ? process_one_work+0x161/0x269 [2294091.252139] [] ? worker_thread+0xc2/0x145 [2294091.252142] [] ? manage_workers.isra.25+0x15b/0x15b [2294091.252146] [] ? kthread+0x76/0x7e [2294091.252149] [] ? kernel_thread_helper+0x4/0x10 [2294091.252152] [] ? kthread_worker_fn+0x139/0x139 [2294091.252155] [] ? gs_change+0x13/0x13 [2294091.252157] Code: ff ff 48 83 c4 58 c3 56 83 3d fe 11 72 00 00 74 05 e8 32 fd ff ff e8 a7 fe ff ff 59 bf 01 00 00 00 e9 c0 14 00 00 90 90 90 57 9d <66> 66 90 66 90 c3 41 55 41 54 41 89 fc 55 89 f5 29 fd 53 52 48 [2294091.266292] Call Trace: [2294091.266294][] ? vprintk+0x39e/0x3d9 [2294091.266300] [] ? printk+0x43/0x48 [2294091.266303] [] ? ipt_log_packet+0x1f7/0x22a [ipt_LOG] [2294091.266306] [] ? log_tg+0x3f/0x49 [ipt_LOG] [2294091.266310] [] ? ipt_do_table+0x4d7/0x556 [ip_tables] [2294091.266314] [] ? nf_conntrack_in+0x53a/0x607 [nf_conntrack] [2294091.266318] [] ? nf_iterate+0x41/0x77 [2294091.266321] [] ? xfrm4_policy_check.constprop.10+0x4f/0x4f [2294091.266324] [] ? nf_hook_slow+0x68/0x101 [2294091.266327] [] ? xfrm4_policy_check.constprop.10+0x4f/0x4f [2294091.266330] [] ? xfrm4_policy_check.constprop.10+0x4f/0x4f [2294091.266333] [] ? NF_HOOK.constprop.9+0x3c/0x56 [2294091.266336] [] ? ip_rcv_finish+0x3b/0x2d1 [2294091.266339] [] ? __netif_receive_skb+0x3fb/0x42d [2294091.266342] [] ? netif_receive_skb+0x63/0x69 [2294091.266345] [] ? napi_gro_receive+0x1d/0x2b [2294091.266347] [] ? napi_skb_finish+0x1c/0x31 [2294091.266353] [] ? bnx2_poll_work+0x8e7/0x9fa [bnx2] [2294091.266356] [] ? icmp_rcv+0x1c5/0x1e1 [2294091.266359] [] ? wake_up_idle_cpu+0x3b/0x61 [2294091.266364] [] ? bnx2_poll_msix+0x3e/0xad [bnx2] [2294091.266368] [] ? net_rx_action+0xa1/0x1af [2294091.266371] [] ? __do_softirq+0xb9/0x177 [2294091.266374] [] ? call_softirq+0x1c/0x30 [2294091.266375][] ? do_softirq+0x3c/0x7b [2294091.266380] [] ? _local_bh_enable_ip.isra.11+0x76/0x88 [2294091.266385] [] ? bnx2_fw_sync+0x3a/0xea [bnx2] [2294091.266390] [] ? bnx2_reset_chip+0x1a2/0x32d [bnx2] [2294091.266395] [] ? bnx2_reset_nic.constprop.72+0x1b/0xd7c [bnx2] [2294091.266398] [] ? linkwatch_schedule_work+0x54/0x94 [2294091.266403] [] ? bnx2_netif_stop+0xe7/0x109 [bnx2] [2294091.266408] [] ? bnx2_init_nic+0x12/0x5d [bnx2] [2294091.266413] [] ? bnx2_reset_task+0x3c/0x8b [bnx2] [2294091.266416] [] ? process_one_work+0x161/0x269 [2294091.266419] [] ? worker_thread+0xc2/0x145 [2294091.266422] [] ? manage_workers.isra.25+0x15b/0x15b [2294091.266425] [] ? kthread+0x76/0x7e [2294091.266428] [] ? kernel_thread_helper+0x4/0x10 [2294091.266431] [] ? kthread_worker_fn+0x139/0x139 [2294091.266434] [] ? gs_change+0x13/0x13 Mit freundlichen Grüßen / Kind regards, Daniel Gassen CC Security & gCERT / gCERT Coordinator Phone: +49 621 60-45903 Mobile: +49 174 3496548 E-Mail: daniel.gas...@basf.com Postal Address: BASF Business Services GmbH, GSI/ITNB - C010, 67059 Ludwigshafen, Germany BASF - The Chemical Company BASF Business Services GmbH, Registered Office: 67059 Ludwigshafen, Germany Companies' Register: Amtsgericht Ludwigshafen, HRB 3541 Managing Directors: Andreas Biermann, Stefan Beck, Wiebe van der Horst Chairman of the Supervisory Board: Dr. Robert Blackburn www.information-services.basf.com
Bug#742014: We received an soft lookup (CPU#0 stuck for 23s!) during a port scan with a total of 20K packets and IPtables log enabled (without limits!)
Package: base Severity: critical -- System Information: Debian Release: 7.4 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/16 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash
Bug#737827: [DSE-Dev] Bug#737827: I get a segfault of semodule when loading the latest reference policy (v2.20130424) with "make load"
Hello Laurent, thanks for the quick reply. Sure, i can provide you a BT - is there a corresponding debug symbols package available for policycoreutils? Mit freundlichen Grüßen / Kind regards, Daniel Gassen CC Security & gCERT / gCERT Coordinator Phone: +49 621 60-45903 Mobile: +49 174 3496548 E-Mail: daniel.gas...@basf.com Postal Address: BASF Business Services GmbH, GSI/ITNB - C010, 67059 Ludwigshafen, Germany BASF - The Chemical Company BASF Business Services GmbH, Registered Office: 67059 Ludwigshafen, Germany Companies' Register: Amtsgericht Ludwigshafen, HRB 3541 Managing Directors: Andreas Biermann, Stefan Beck, Wiebe van der Horst Chairman of the Supervisory Board: Dr. Robert Blackburn www.information-services.basf.com From: Laurent Bigonville To: daniel.gas...@basf.com Cc: 737...@bugs.debian.org, rene.fassben...@basf.com, michael.schu...@basf.com Date: 06.02.2014 13:25 Subject:Re: [DSE-Dev] Bug#737827: I get a segfault of semodule when loading the latest reference policy (v2.20130424) with "make load" Le Thu, 6 Feb 2014 11:35:05 +0100, daniel.gas...@basf.com a écrit : Hello, Do you think you could provide us a backtrace? But It's usually better that userspace matches the release of the policy, I already saw issues in the past when mixing the versions. I should maybe start looking at backporting SELinux userspace and policy to wheezy. Anyway this bug is not affecting unstable and the upcoming jessie release and I've marked the bugs as such. Cheers, Laurent Bigonville
Bug#737827: I get a segfault of semodule when loading the latest reference policy (v2.20130424) with "make load"
Package: policycoreutils Version: 2.1.10-9 Severity: important -- System Information: Debian Release: 7.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages policycoreutils depends on: ii dpkg 1.16.12 ii libaudit0 1:1.7.18-1.1 ii libc6 2.13-38 ii libcap2 1:2.22-1.2 ii libdbus-1-3 1.6.8-1+deb7u1 ii libdbus-glib-1-2 0.100.2-1 ii libgcc1 1:4.7.2-5 ii libglib2.0-0 2.33.12+really2.32.4-5 ii libpam0g 1.1.3-7.1 ii libpcre3 1:8.30-5 ii libselinux1 2.1.9-5 ii libsemanage1 2.1.6-6 ii libsepol1 2.1.4-3 ii libstdc++64.7.2-5 ii lsb-base 4.1+Debian8+deb7u1 ii psmisc22.19-1+deb7u1 ii python2.7.3-4+deb7u1 ii python-ipy1:0.75-1 ii python-selinux2.1.9-5 ii python-semanage 2.1.6-6 ii python-sepolgen 1.1.5-3 ii python-setools3.3.7-3 ii python2.6 2.6.8-1.1 ii python2.7 2.7.3-6 Versions of packages policycoreutils recommends: ii selinux-policy-default 2:2.20110726-12 Versions of packages policycoreutils suggests: pn selinux-policy-dev -- no debconf information
Bug#666049: Problems with restorecond while watching on named pipes or sockets
Package: policycoreutils Version: 2.0.82-3 Severity: normal -- System Information: Debian Release: 6.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/16 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages policycoreutils depends on: ii libaudit0 1.7.13-1+b2Dynamic library for security audit ii libc6 2.11.3-2 Embedded GNU C Library: Shared lib ii libpam0g 1.1.1-6.1+squeeze1 Pluggable Authentication Modules l ii libselinux1 2.0.96-1 SELinux runtime shared libraries ii libsemanage1 2.0.45-1 SELinux policy management library. ii libsepol1 2.0.41-1 SELinux library for manipulating b ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip ii python2.6.6-3+squeeze6 interactive high-level object-orie ii python-selinux2.0.96-1 Python bindings to SELinux shared ii python-semanage 2.0.45-1 Python bindings for SELinux polic ii python-sepolgen 1.0.23-1 A Python module used in SELinux po Versions of packages policycoreutils recommends: ii selinux-policy 2:0.2.20100524-7+squeeze1 Strict and Targeted variants of th policycoreutils suggests no packages. -- Configuration Files: /etc/selinux/restorecond.conf changed [not included] -- no debconf information