Re: [qubes-users] Qubes 3.2 dnsmasq update?
On 10/06/2017 09:04 PM, Ron Hunter-Duvar wrote: On October 6, 2017 5:05:49 PM MDT, Unman wrote: On Thu, Oct 05, 2017 at 12:41:32PM -0600, Ron Hunter-Duvar wrote: ... The install disk still contains fed23 templates and you're expected to update as soon as you have installed. To install a new template all you have to do is : sudo qubes-dom0-update qubes-template-fedora-25 Thanks for the tip. I don't remember seeing it in the getting started material I read. Doing it now. This will install the template and you can then just switch your serviceVMs - either using Qubes Manager, or by: 'qvm-prefs -s template '. ... Well, I did all this, and confirmed that the sys-* servicevms are all using Fedora 25, but it still has dnsmasq version 2.76. According to US-CERT, 2.78 is needed to get the vulnerability fixes. Which concerns me, given the length of time that the exploit code has been public. Surprises me too, since Debian had it out in a matter of hours. However, it's not running in any of these, nor in dom0. Should I just uninstall it? Thanks, Ron -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/728aa211-a104-87aa-eb42-59301b562ed9%40shaw.ca. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 3.2 dnsmasq update?
On October 6, 2017 5:05:49 PM MDT, Unman wrote: >On Thu, Oct 05, 2017 at 12:41:32PM -0600, Ron Hunter-Duvar wrote: >> On 10/05/2017 01:52 AM, Ilpo Järvinen wrote: >> > On Wed, 4 Oct 2017, Ron Hunter-Duvar wrote: ... >> > FC23 has been EOL'ed for long time, you should upgrade your >template to >> > FC25 or later (as FC24 likewise, is EOL'ed). The easiest >alternative is to >> > install fedora-25 template that is nowadays included to qubes >repositories >> > (IIRC). Then change your AppVMs having fedora-23 as their template >to use >> > fedora-25 template. >> > >> >> I wondered about that too. Why does Qubes 3.2 still use FC23? Wasn't >it EOL >> in 2015? >> >> I use debian-8 for all my appvms. I changed the default before I >created any >> of them. >> >> But I still need it for my servicevms. Especially since they're the >ones >> exposed to the internet (although still behind a separate firewall, >but >> that's potentially affected too). >> >> Haven't had time to look into how to setup a new template and convert >the >> servicevms. But for this, if there's no fix coming, I guess I'll have >to >> deal with it. >> >> Thanks, >> Ron > >No, Fed 23 was EOL in December 2016. >It's still used in dom0 because there should be little call to upgrade >dom0 - see the explanation here: >www.qubes-os.org/doc/software-update-dom0/ > >The install disk still contains fed23 templates and you're expected to >update as soon as you have installed. > >To install a new template all you have to do is : >sudo qubes-dom0-update qubes-template-fedora-25 Thanks for the tip. I don't remember seeing it in the getting started material I read. Doing it now. >This will install the template and you can then just switch your >serviceVMs - either using Qubes Manager, or by: >'qvm-prefs -s template '. > >Of course, there's no reason why you shouldnt use Debian for all your >qubes, and ditch Fedora template altogether. Do you mean I can switch my servicevms to Debian? I don't want to create any unnecessary headaches for myself right now, but I much prefer Debian. >unman Thanks, Ron -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/C9A5D777-0E22-493D-B321-D53276938729%40shaw.ca. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 3.2 dnsmasq update?
On Thu, Oct 05, 2017 at 12:41:32PM -0600, Ron Hunter-Duvar wrote: > On 10/05/2017 01:52 AM, Ilpo Järvinen wrote: > > On Wed, 4 Oct 2017, Ron Hunter-Duvar wrote: > > > > > Saw the news earlier today about the major dnsmasq vulnerabilities (remote > > > code execution), and already received the update for the debian-8 > > > template, > > > but not for the fedora-23 template or dom0. > > > > > > Anyone know of an ETA for this? > > dom0 does not have network connectivity. > > Yeah, I wondered about that. Any reason for it to even have dnsmasq > installed? Because it does. > > > > FC23 has been EOL'ed for long time, you should upgrade your template to > > FC25 or later (as FC24 likewise, is EOL'ed). The easiest alternative is to > > install fedora-25 template that is nowadays included to qubes repositories > > (IIRC). Then change your AppVMs having fedora-23 as their template to use > > fedora-25 template. > > > > I wondered about that too. Why does Qubes 3.2 still use FC23? Wasn't it EOL > in 2015? > > I use debian-8 for all my appvms. I changed the default before I created any > of them. > > But I still need it for my servicevms. Especially since they're the ones > exposed to the internet (although still behind a separate firewall, but > that's potentially affected too). > > Haven't had time to look into how to setup a new template and convert the > servicevms. But for this, if there's no fix coming, I guess I'll have to > deal with it. > > Thanks, > Ron No, Fed 23 was EOL in December 2016. It's still used in dom0 because there should be little call to upgrade dom0 - see the explanation here: www.qubes-os.org/doc/software-update-dom0/ The install disk still contains fed23 templates and you're expected to update as soon as you have installed. To install a new template all you have to do is : sudo qubes-dom0-update qubes-template-fedora-25 This will install the template and you can then just switch your serviceVMs - either using Qubes Manager, or by: 'qvm-prefs -s template '. Of course, there's no reason why you shouldnt use Debian for all your qubes, and ditch Fedora template altogether. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20171006230549.6qofrm4e4iy4hhop%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 3.2 dnsmasq update?
On 10/05/2017 01:52 AM, Ilpo Järvinen wrote: On Wed, 4 Oct 2017, Ron Hunter-Duvar wrote: Saw the news earlier today about the major dnsmasq vulnerabilities (remote code execution), and already received the update for the debian-8 template, but not for the fedora-23 template or dom0. Anyone know of an ETA for this? dom0 does not have network connectivity. Yeah, I wondered about that. Any reason for it to even have dnsmasq installed? Because it does. FC23 has been EOL'ed for long time, you should upgrade your template to FC25 or later (as FC24 likewise, is EOL'ed). The easiest alternative is to install fedora-25 template that is nowadays included to qubes repositories (IIRC). Then change your AppVMs having fedora-23 as their template to use fedora-25 template. I wondered about that too. Why does Qubes 3.2 still use FC23? Wasn't it EOL in 2015? I use debian-8 for all my appvms. I changed the default before I created any of them. But I still need it for my servicevms. Especially since they're the ones exposed to the internet (although still behind a separate firewall, but that's potentially affected too). Haven't had time to look into how to setup a new template and convert the servicevms. But for this, if there's no fix coming, I guess I'll have to deal with it. Thanks, Ron -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ad369241-56f8-8920-f558-aea94c030ab7%40shaw.ca. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 3.2 dnsmasq update?
On Wed, 4 Oct 2017, Ron Hunter-Duvar wrote: > Saw the news earlier today about the major dnsmasq vulnerabilities (remote > code execution), and already received the update for the debian-8 template, > but not for the fedora-23 template or dom0. > > Anyone know of an ETA for this? dom0 does not have network connectivity. FC23 has been EOL'ed for long time, you should upgrade your template to FC25 or later (as FC24 likewise, is EOL'ed). The easiest alternative is to install fedora-25 template that is nowadays included to qubes repositories (IIRC). Then change your AppVMs having fedora-23 as their template to use fedora-25 template. -- i. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/alpine.DEB.2.20.1710051049040.30385%40whs-18.cs.helsinki.fi. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes 3.2 dnsmasq update?
Hi, Saw the news earlier today about the major dnsmasq vulnerabilities (remote code execution), and already received the update for the debian-8 template, but not for the fedora-23 template or dom0. Anyone know of an ETA for this? Thanks, Ron -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2c95d75c-293e-0e3e-6e31-f3163d5654b3%40shaw.ca. For more options, visit https://groups.google.com/d/optout.