subject:"\[qubes\-users\] Qubes 3.2 dnsmasq update\?"

Re: [qubes-users] Qubes 3.2 dnsmasq update?

2017-10-07 Thread Ron Hunter-Duvar

On 10/06/2017 09:04 PM, Ron Hunter-Duvar wrote:

On October 6, 2017 5:05:49 PM MDT, Unman wrote:

On Thu, Oct 05, 2017 at 12:41:32PM -0600, Ron Hunter-Duvar wrote:
...
The install disk still contains fed23 templates and you're expected to
update as soon as you have installed.

To install a new template all you have to do is :
sudo qubes-dom0-update qubes-template-fedora-25

Thanks for the tip. I don't remember seeing it in the getting started material
I read. Doing it now.

This will install the template and you can then just switch your
serviceVMs - either using Qubes Manager, or by:
'qvm-prefs -s template '.

...
Well, I did all this, and confirmed that the sys-* servicevms are all
using Fedora 25, but it still has dnsmasq version 2.76. According to
US-CERT, 2.78 is needed to get the vulnerability fixes. Which concerns
me, given the length of time that the exploit code has been public.
Surprises me too, since Debian had it out in a matter of hours.

However, it's not running in any of these, nor in dom0. Should I just
uninstall it?

Thanks,
Ron

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/728aa211-a104-87aa-eb42-59301b562ed9%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 3.2 dnsmasq update?

2017-10-06 Thread Ron Hunter-Duvar

On October 6, 2017 5:05:49 PM MDT, Unman  wrote:
>On Thu, Oct 05, 2017 at 12:41:32PM -0600, Ron Hunter-Duvar wrote:
>> On 10/05/2017 01:52 AM, Ilpo Järvinen wrote:
>> > On Wed, 4 Oct 2017, Ron Hunter-Duvar wrote:
...
>> > FC23 has been EOL'ed for long time, you should upgrade your
>template to
>> > FC25 or later (as FC24 likewise, is EOL'ed). The easiest
>alternative is to
>> > install fedora-25 template that is nowadays included to qubes
>repositories
>> > (IIRC). Then change your AppVMs having fedora-23 as their template
>to use
>> > fedora-25 template.
>> > 
>> 
>> I wondered about that too. Why does Qubes 3.2 still use FC23? Wasn't
>it EOL
>> in 2015?
>> 
>> I use debian-8 for all my appvms. I changed the default before I
>created any
>> of them.
>> 
>> But I still need it for my servicevms. Especially since they're the
>ones
>> exposed to the internet (although still behind a separate firewall,
>but
>> that's potentially affected too).
>> 
>> Haven't had time to look into how to setup a new template and convert
>the
>> servicevms. But for this, if there's no fix coming, I guess I'll have
>to
>> deal with it.
>> 
>> Thanks,
>> Ron
>
>No, Fed 23 was EOL in December 2016.
>It's still used in dom0 because there should be little call to upgrade
>dom0 - see the explanation here:
>www.qubes-os.org/doc/software-update-dom0/
>
>The install disk still contains fed23 templates and you're expected to
>update as soon as you have installed.
>
>To install a new template all you have to do is :
>sudo qubes-dom0-update qubes-template-fedora-25

Thanks for the tip. I don't remember seeing it in the getting started material 
I read. Doing it now.


>This will install the template and you can then just switch your
>serviceVMs - either using Qubes Manager, or by:
>'qvm-prefs  -s template '.
>
>Of course, there's no reason why you shouldnt use Debian for all your
>qubes, and ditch Fedora template altogether.

Do you mean I can switch my servicevms to Debian? I don't want to create any 
unnecessary headaches for myself right now, but I much prefer Debian.


>unman

Thanks,
Ron

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/C9A5D777-0E22-493D-B321-D53276938729%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 3.2 dnsmasq update?

2017-10-06 Thread Unman

On Thu, Oct 05, 2017 at 12:41:32PM -0600, Ron Hunter-Duvar wrote:
> On 10/05/2017 01:52 AM, Ilpo Järvinen wrote:
> > On Wed, 4 Oct 2017, Ron Hunter-Duvar wrote:
> > 
> > > Saw the news earlier today about the major dnsmasq vulnerabilities (remote
> > > code execution), and already received the update for the debian-8 
> > > template,
> > > but not for the fedora-23 template or dom0.
> > > 
> > > Anyone know of an ETA for this?
> > dom0 does not have network connectivity.
> 
> Yeah, I wondered about that. Any reason for it to even have dnsmasq
> installed? Because it does.
> 
> 
> > FC23 has been EOL'ed for long time, you should upgrade your template to
> > FC25 or later (as FC24 likewise, is EOL'ed). The easiest alternative is to
> > install fedora-25 template that is nowadays included to qubes repositories
> > (IIRC). Then change your AppVMs having fedora-23 as their template to use
> > fedora-25 template.
> > 
> 
> I wondered about that too. Why does Qubes 3.2 still use FC23? Wasn't it EOL
> in 2015?
> 
> I use debian-8 for all my appvms. I changed the default before I created any
> of them.
> 
> But I still need it for my servicevms. Especially since they're the ones
> exposed to the internet (although still behind a separate firewall, but
> that's potentially affected too).
> 
> Haven't had time to look into how to setup a new template and convert the
> servicevms. But for this, if there's no fix coming, I guess I'll have to
> deal with it.
> 
> Thanks,
> Ron

No, Fed 23 was EOL in December 2016.
It's still used in dom0 because there should be little call to upgrade
dom0 - see the explanation here:
www.qubes-os.org/doc/software-update-dom0/

The install disk still contains fed23 templates and you're expected to
update as soon as you have installed.

To install a new template all you have to do is :
sudo qubes-dom0-update qubes-template-fedora-25

This will install the template and you can then just switch your
serviceVMs - either using Qubes Manager, or by:
'qvm-prefs  -s template '.

Of course, there's no reason why you shouldnt use Debian for all your
qubes, and ditch Fedora template altogether.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171006230549.6qofrm4e4iy4hhop%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 3.2 dnsmasq update?

2017-10-05 Thread Ron Hunter-Duvar

On 10/05/2017 01:52 AM, Ilpo Järvinen wrote:

On Wed, 4 Oct 2017, Ron Hunter-Duvar wrote:

Saw the news earlier today about the major dnsmasq vulnerabilities (remote
code execution), and already received the update for the debian-8 template,
but not for the fedora-23 template or dom0.

Anyone know of an ETA for this?

dom0 does not have network connectivity.

Yeah, I wondered about that. Any reason for it to even have dnsmasq
installed? Because it does.

FC23 has been EOL'ed for long time, you should upgrade your template to
FC25 or later (as FC24 likewise, is EOL'ed). The easiest alternative is to
install fedora-25 template that is nowadays included to qubes repositories
(IIRC). Then change your AppVMs having fedora-23 as their template to use
fedora-25 template.

I wondered about that too. Why does Qubes 3.2 still use FC23? Wasn't it
EOL in 2015?

I use debian-8 for all my appvms. I changed the default before I created
any of them.

But I still need it for my servicevms. Especially since they're the ones
exposed to the internet (although still behind a separate firewall, but
that's potentially affected too).

Haven't had time to look into how to setup a new template and convert
the servicevms. But for this, if there's no fix coming, I guess I'll
have to deal with it.

Thanks,
Ron

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/ad369241-56f8-8920-f558-aea94c030ab7%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 3.2 dnsmasq update?

2017-10-05 Thread Ilpo Järvinen

On Wed, 4 Oct 2017, Ron Hunter-Duvar wrote:

> Saw the news earlier today about the major dnsmasq vulnerabilities (remote
> code execution), and already received the update for the debian-8 template,
> but not for the fedora-23 template or dom0.
> 
> Anyone know of an ETA for this?

dom0 does not have network connectivity.

FC23 has been EOL'ed for long time, you should upgrade your template to 
FC25 or later (as FC24 likewise, is EOL'ed). The easiest alternative is to 
install fedora-25 template that is nowadays included to qubes repositories 
(IIRC). Then change your AppVMs having fedora-23 as their template to use 
fedora-25 template.

-- 
 i.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/alpine.DEB.2.20.1710051049040.30385%40whs-18.cs.helsinki.fi.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes 3.2 dnsmasq update?

2017-10-04 Thread Ron Hunter-Duvar


Hi,

Saw the news earlier today about the major dnsmasq vulnerabilities 
(remote code execution), and already received the update for the 
debian-8 template, but not for the fedora-23 template or dom0.


Anyone know of an ETA for this?

Thanks,

Ron

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2c95d75c-293e-0e3e-6e31-f3163d5654b3%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 3.2 dnsmasq update?

Re: [qubes-users] Qubes 3.2 dnsmasq update?

Re: [qubes-users] Qubes 3.2 dnsmasq update?

Re: [qubes-users] Qubes 3.2 dnsmasq update?

Re: [qubes-users] Qubes 3.2 dnsmasq update?

[qubes-users] Qubes 3.2 dnsmasq update?

6 matches

Site Navigation

Mail list logo

Footer information