home.social

Search

863 results for “fedoracpt”

  1. Mike Rochefort :fedora: @omenos ·

    General reminder for @fedora users:

    In just a little over two weeks (May 16) Fedora 36 will go EOL! Make sure you set aside some time to upgrade to Fedora 37 or Fedora 38 before then!

    If you need assistance, the documentation demonstrates how to upgrade with a variety of methods:

    docs.fedoraproject.org/en-US/q

    #fedora #fedoralinux #fedora36 #fedoralinux36 #eol #fedora37
  2. Mike Rochefort :fedora: @[email protected] ·

    General reminder for @fedora users:

    In just a little over two weeks (May 16) Fedora 36 will go EOL! Make sure you set aside some time to upgrade to Fedora 37 or Fedora 38 before then!

    If you need assistance, the documentation demonstrates how to upgrade with a variety of methods:

    docs.fedoraproject.org/en-US/q

    #fedora #fedoralinux #fedora36 #fedoralinux36 #eol #fedora37 #fedoralinux37 #fedora38 #fedoralinux38

    #fedora #fedoralinux #fedora36 #fedoralinux36 #eol #fedora37
  3. Mike Rochefort :fedora: @[email protected] ·

    General reminder for @fedora users:

    In just a little over two weeks (May 16) Fedora 36 will go EOL! Make sure you set aside some time to upgrade to Fedora 37 or Fedora 38 before then!

    If you need assistance, the documentation demonstrates how to upgrade with a variety of methods:

    docs.fedoraproject.org/en-US/q

    #fedora #fedoralinux #fedora36 #fedoralinux36 #eol #fedora37 #fedoralinux37 #fedora38 #fedoralinux38

    #fedora #fedoralinux #fedora36 #fedoralinux36 #eol #fedora37
  4. Mike Rochefort :fedora: @[email protected] ·

    General reminder for @fedora users:

    In just a little over two weeks (May 16) Fedora 36 will go EOL! Make sure you set aside some time to upgrade to Fedora 37 or Fedora 38 before then!

    If you need assistance, the documentation demonstrates how to upgrade with a variety of methods:

    docs.fedoraproject.org/en-US/q

    #fedora #fedoralinux #fedora36 #fedoralinux36 #eol #fedora37 #fedoralinux37 #fedora38 #fedoralinux38

    #fedoralinux38 #fedora38 #fedoralinux37 #fedora37 #eol #fedoralinux36
  5. Mike Rochefort :fedora: @[email protected] ·

    General reminder for @fedora users:

    In just a little over two weeks (May 16) Fedora 36 will go EOL! Make sure you set aside some time to upgrade to Fedora 37 or Fedora 38 before then!

    If you need assistance, the documentation demonstrates how to upgrade with a variety of methods:

    docs.fedoraproject.org/en-US/q

    #fedora #fedoralinux #fedora36 #fedoralinux36 #eol #fedora37 #fedoralinux37 #fedora38 #fedoralinux38

    #fedora #fedoralinux #fedora36 #fedoralinux36 #eol #fedora37
  6. Linux ✅ @[email protected] ·

    FEDORA LINUX 39 is stepping up to the GAME! :fedora: 🎮 :linux:

    Release 39 of this top Linux OS will boost something called "vm.max_map_count" - to make Windows-only games further fly on Linux.

    The goal is to match the ways of Valve's gaming marvels SteamOS / Steam Deck.

    => fedoraproject.org/wiki/Changes

    #Fedora #Linux #linuxgaming #gaming #Steam #SteamDeck #deleteWindows @fedora

    #deletewindows #steamdeck #steam #gaming #linuxgaming #linux
  7. Fedora Project @fedora ·

    Also welcome the Sway spin to the Fedora Project! :fedora: 🤝 :sway:

    Sway is a tiling window manager and drop-in replacement for i3, but with support for Wayland.

    They also have Sericea, a Sway immutable desktop joining the ranks of Silverblue and Kinoite!

    Fedora Sway: fedoraproject.org/spins/sway/
    Fedora Sericea (Sway Immutable): fedoraproject.org/sericea/
    More Sway info: swaywm.org/

    #fedora #linux #sway #sericea #silverblue
  8. Vint Prox @[email protected] ·

    Here's my favorite talk on #CreativeFreedomSummit - "Freelancing with Free Software" by @ryangorley!

    It's about doing #freelance works as a #FOSS agency and why they, and you as well, don't need proprietary packages when there are #libre alternatives without imposing a risk of development and support lock-in. Answering top audience questions.

    📺 Watch on #CFS: peertube.linuxrocks.online/w/c
    📺 Watch on #FedoraProject: youtube.com/watch?v=97cOcBGgXa

    @fedora.design @mairin #Krita #Blender #GIMP #Inkscape #Penpot #Kdenlive #DarkTable #NextCloud #Freehive #Scribus #Syncthing #FLOSS #VideoEditing

    #creativefreedomsummit #freelance #foss #libre #scribus #syncthing
  9. Thorsten Leemhuis (acct. 2/4) @[email protected] ·

    How to make life hard for package maintainers in #Linux #distributions:

    Just provide a patch instead of directly releasing a new version of foo, when it starts to misbehave with a newly released version of bar, which leads to build errors in foobar.

    That's bad, as package maintainers of several distros now need to discover and apply the patch (& later revert) it.

    foo in this case is #pahole: src.fedoraproject.org/rpms/dwa
    bar was #binutils 2.40
    foobar is the #kernel: koji.fedoraproject.org/koji/ge

    #linux #distributions #pahole #binutils #kernel
  10. Matthew Miller @[email protected] ·

    I wrote about Logic Models in open source software planning a few days ago. Now, feast on this hot take: Logic Models are a superset of OKRs that avoid some of the common failures of that tool, and provide other advantages too!

    discussion.fedoraproject.org/t

    #strategy #planning #okrs #logicmodel

    #strategy #planning #okrs #logicmodel
  11. Matthew Miller @[email protected] ·

    ... One such tool I personally find helpful and think would be good is called a "logic model" — it's a way of expressing your _theory of change_.

    And all of this is to say, I wrote a short post about this tool in Fedora -- we're using it as a framework to plan and structure our strategy for the next five years.

    Check it out if this is at all interesting to you:.

    discussion.fedoraproject.org/t

    #logicmodel #strategy #planning #fedora #theoryofchange

    #logicmodel #strategy #planning #fedora #theoryofchange
  12. lulu @[email protected] ·

    @KekunPlazas bonjour,
    je me demandes si tu utilises aussi les lenovo avec ecran tactile, j'ai une #fedora37 workstation et l'ecrand de la tablette est endommagé ce qui produit des fausses entrées, c'est possible de desactiver l'ecran tactile ?
    je ne sais même pas ou chercher, dsl

    discussion.fedoraproject.org/t

    #fedora37
  13. Linux ✅ @[email protected] ·

    ::: Fedora Linux 38 - live media creation modernized!

    "As we look forward to new and better tooling for producing images (such as Kiwi and Osbuild), we cannot continue to rely on kickstart-driven image builds that construct shell scripts on the fly to embed in the image as we do now.

    With livesys-scripts, those scripts have been simplified and turned into systemd services that activate only in live environments.

    This also gives us the opportunity to introduce new functionality for live media."

    => fedoraproject.org/wiki/Changes

    #Fedora #Linux #Live #Install #Media #development #RedHat #Kiwi #Osbuild

    #osbuild #kiwi #redhat #development #media #install
  14. w4tsn ~> :idle: @[email protected] ·

    Bist du gerne mit Fedora Linux unterwegs, hast ein Thema das du mit anderen Menschen Teilen willst und schreibst gerne (auf Englisch)? Das FedoraMagazine sucht immer neue Themen, Writer und Editor für mehr Inhalte aus der Community für die Community :blobhug:

    In der Dokumentation findest du alle Infos wie und wo. Auch wie der Prozess vom Schreiben über die Reviews bis hin zum Veröffentlichen abläuft erfährst du dort

    docs.fedoraproject.org/en-US/f

    fedoramagazine.org

    #fedora #fedoramagazine

    #fedoramagazine #fedora
  15. Paula Gentle on Friendica @[email protected] ·
    @kayb @LasseGismo
    Ich kenne keine CA, die im deutschen Rechtsraum agiert

    Oh wait...

    Weil das ein spannendes Thema ist, habe ich mal recherchiert, wie das mit diesem Crypto-Stuff genau funktioniert. Beispiel #Fedora:
    fedoraproject.org/wiki/CA-Cert…
    Fedora 25 (and later) uses the unmodified Mozilla CA list,

    Und darin sind unter anderem auch deutsche Unternehmen enthalten:
    *D-TRUST D-Trust GmbH
    *Deutsche Telekom Security GmbH
    Es wäre also theoretisch möglich, hier mit entsprechenden Mitteln Einfluss zu nehmen.

    ABER 1: Wenn das rauskommt, fliegen diese Unternehmen schneller aus dem Verzeichnis, als man 'NieMehrCDU' sagen kann. Wie schnell das geht, haben wir in der Vergangenheit bei Schludrigkeiten mehrfach gesehen - beispielsweise #DigiNotar, welche kurze Zeit später involvent waren.

    ABER 2: Das gilt für TLS, also Webzugriffe. Nicht zwingend für Code-Signing. Am Beispiel von #Fedora läuft das Code-Signing für den Update-Prozess via #PGP, da spielt die CA keine Rolle. Der relevante private Schlüssel für das Signing liegt also irgendwo im Build-System von Fedora/RedHat. Und das dürfte bei den tausend anderen Distributionen ähnlich sein, was einen solchen Angriff auf die PKI nicht gerade erleichtern dürfte.

    getfedora.org/security/
    #fedora #pgp #diginotar
  16. Sheogorath @[email protected] ·

    The Fedora Magazine provided a new article about using the Fedora Account System (FAS) and how to use the desktop integrated Kerberos Login to have SSO enabled for all Fedora services:

    fedoramagazine.org/getting-set

    And did you know, that the FAS works with CodiMD when you enabled the OpenID login?

    Just sign into: https://<your account name>.id.fedoraproject.org 🎉

    And yes, you can try it on demo.codimd.org

    #Fedora #FAS #FedoraMagazine #CodiMD #OpenID #SSO #infosec

    #infosec #sso #openid #codimd #fedoramagazine #fas
  17. rugk @[email protected] ·

    In January 2020 Microsoft will drop supporting Windows 7. This can be a chance to bring people to Linux!
    I mean many people still use Windows 7 and did not upgrade and likely don't want to upgrade to Windows 8 or 10…

    Due to the lack of a real cross-distro discussion platform I've written up some ideas here, now:
    discussion.fedoraproject.org/t #Linux #Windows7 #WindowsToLinux

    #windowstolinux #windows7 #linux
  18. Nate @[email protected] ·

    Manage your Linux systems like a container!

    I’ve got to tell you, I have not been so excited about a technology… probably since Containers. At Summit this year Red Hat announced the General Availability of Image Mode for RHEL. So I got to spend a week in Boston, explaining, over and over again, why that’s important.

    See, Image mode is kind of a big deal. It takes container workflows, and applies it to your data center servers using a technology called bootc. This concept isn’t new exactly, this sort of technology has been applied to edge devices, and phones, and other appliances for years. But what we have now is a general purpose linux that you can update using a bootable container image. This changes things.

    So think about a Linux system as you know it today. We’re calling that Package Mode now in order to avoid confusion. RHEL Package Mode is a Linux base, with a package manager, where you install and configure things, and then fight to keep those things from drifting pretty much from then until eternity. There’s a whole facet of the IT industry around mitigating that drift. Package and config management is a huge business! For good reason! Drift is what makes your routine 2AM maintenance into a panic attack when the database server doesn’t come back up.

    So I talked a lot about Image Mode at Summit, but I have to admit, I hadn’t touched it yet! So Now that I’m back home, and my time is a little less all consumed by prep for the RHEL 10 release, and Summit deadlines, I decided to take some time and get hands on with this revolutionary thing.

    Building a pipeline

    So, I use Gitlab community edition as a repository for a few container builds I maintain. Some time back I managed to get the CI/CD pipelines working for my container builds. These were nothing fancy, but they work. I commit a change to the repository, and a job kicks off to rebuild the container, and push it into a registry. In some cases that’s just the internal Gitlab registry, in others its Docker Hub. I, of course, do it all with Podman. So when I decided to tackle Image Mode, I thought it would be best to just rip that band-aid right off and do it in Gitlab, and have the builds happen there. How hard could it be? I already had container builds running there!

    So I made a repo, and copied my CI config from one of the container builds that just used podman and the local registry, and threw in a basic Containerfile that just sourced FROM the RHEL bootc base image, and then did a package install. Commit, sit back in my arrogance and wait for my image.

    It failed. For reasons I still don’t fully understand, the container build uses fuse-overlayfs to do its build, and couldn’t in my runner’s podman in podman build container. I did some research, and luckily I have access to internal Red Hat knowledge, so I was able to bounce some ideas around and came up with a solution. Two things actually. My runner needed some config changes. Here, I’ll share them with you.

    Here is my Runner config

    [[runners]]  name = "dind-container"  url = "https://git.undrground.org"  id = 3  token = "NoTokenForYou"  token_obtained_at = somedatestamp  token_expires_at = someotherdatestamp  executor = "docker"  environment = ["FF_NETWORK_PER_BUILD=1"]  [runners.cache]    MaxUploadedArchiveSize = 0    [runners.cache.s3]    [runners.cache.gcs]    [runners.cache.azure]  [runners.docker]    tls_verify = false    image = "docker:git"    privileged = true    disable_entrypoint_overwrite = false    oom_kill_disable = false    disable_cache = false    volumes = ["/cache"]    shm_size = 0    network_mtu = 0

    The things I had to add were, first, privileged = true. This gives the container the access it needs to do its fusefs work. And the environment “FF_NETWORK_PER_BUILD=1”, which I believe tweaks the podman networking such that it fixed a DNS resolution problem I was having in my builds.

    With that fixed, I was able to get builds working! I have two things to share that may help you if you are trying to do the same. First, another Red Hatter built a public example repo that will apparently “just work” if you use it as a base for your Image Mode CI/CD. It didn’t work for me, but I suspect that was more about my gitlab setup and less about the functionality of the example. You can find that example, Here. What I ended up doing was modify my existing podman CI file. That looks like this:

    ---image: registry.undrground.org/gangrif/podman-builder:latest#services:#    - docker:dindbefore_script:    - dnf -y install podman git subscription-manager buildah skopeo podman    - subscription-manager register --org=${RHT_ORGID} --activationkey=${RHT_ACT_KEY}    - subscription-manager repos --enable codeready-builder-for-rhel-9-x86_64-rpms --enable rhel-9-for-x86_64-baseos-rpms    - export REVISION=$(git rev-parse --short HEAD)    - podman login --username gitlab-ci-token --password $CI_JOB_TOKEN      $CI_REGISTRY    - podman login --username $RHLOGIN --password "$RHPASS" registry.redhat.ioafter_script:    - podman logout $CI_REGISTRY    - subscription-manager unregisterstages:    - buildcontainerize:    stage: build    script:      .    - podman build --secret id=creds,src=/run/containers/0/auth.json --build-arg GIT_HASH=$CI_COMMIT_SHA      -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA -t $CI_REGISTRY_IMAGE:latest       .    - podman push $CI_REGISTRY_IMAGE

    Now, this example contains no verification or validation, so I suggest you maybe look into the proper example linked externally. That one has a lot of testing included. Mine will improve with time. 😉

    Registry Authentication for your build

    Now, there’s a few things to note here. First, Notice that I am not just logging into my own registry, but registry.redhat.io. You register using your Red Hat login for the Red Hat private registry, and that’s where the bootc base images come from. I also use subscription-manager to register the build container to Red Hat’s CDN. That’s because the RHEL Image Mode build is building RHEL, and must be done using an entitled host in order to receive any updates or packages during the container build. This was something I had gotten stuck on for some time, its a little tough to wrap your head around. Once you do though, it makes sense.

    Authenticating your bootc system with your registry, automatically

    I am also passing the podman authentication token file into a podman secret at build time. This is important later. If your bootc images are stored in a registry that is not public, you will need to authenticate to that registry in order to pull your updated images after deployment. The easiest way to bake in that authentication is to simply take the authentication from the build host, and place it into the built image. There is some trickery that happens in your Containerfile to make this work. You can read more about this here.

    Containerfile

    So, I told you we build image mode like a container. I meant it. We literally write a Contanerfile, and source it from these special bootc images that are published by Red Hat. There are a few things you’ll want to think about when building a bootc Containerfile vs a standard application container. Things that you wouldn’t normally think about when building a normal container.

    Content

    First, RHEL is entitled software, that doesn’t change for RHEL Image Mode. This is pretty seemless if you are doing your build directly on an Entitled RHEL system. But if you’re in a ubi container like I am, you’ll need to subscribe the UBI container because the BootC build will depend on that entitlement to enable its own repositories. That is not true, however, for 3rd party public repositories. Those just get enabled right inside of the Containerfile. This sounds confusing, but it boils down to this. RHEL repository? Entitled by the build host, Other repository? Add it via the Containerfile. I add EPEL in my example below.

    Users

    Something else I don’t usually see done in a standard container is the addition of users. Remember this is going to be a full RHEL host at the other end, so you might need to add users. In my case I am adding a local “breakglass” user, because I am leveraging IdM for my identities. But if something goes wrong during the provisioning, i want a user I can login to the system with to troubleshoot. You can also come in later with other tools to add users. You can enable cloud-init and add them there, or if you are using the image builder tool I’ll talk about in a bit, you can give it a config.toml file to add users at that point.

    Other Considerations

    Other things that you’ll need to think about might be firewall rules, container registry authentication, and even the lack of an ENTRYPOINT or CMD. Because this system is expected to boot into a full OS, it is not going to run a single dedicated workload. Instead you’ll be enabling services like you would on a standard RHEL system, with systemctl.

    My Containerfile

    Now that we’re through all of that, let me show you what I ended up with as a Containerfile. 

    FROM registry.redhat.io/rhel9/rhel-bootc:latest# Enable EPEL, install updates, and install some packagesRUN dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpmRUN dnf -y updateRUN dnf -y install ipa-hcc-client rhc rhc-worker-playbook cloud-init && dnf clean all# This sets up automatic registration with Red Hat InsightsCOPY --chmod=0644 rhc-connect.service /usr/lib/systemd/system/rhc-connect.serviceCOPY .rhc_connect_credentials /etc/rhc/.rhc_connect_credentialsRUN systemctl enable rhc-connect && touch /etc/rhc/.run_rhc_connect_next_boot# This is my backdoor user, in case of IdM join failureRUN useradd breakglassRUN usermod -p '$6$s0m3pAssw0rDHasH' breakglassRUN groupmems -g wheel -a breakglass# This picks up that podman pull secret, and adds it to the build imageCOPY link-podman-credentials.conf /usr/lib/tmpfiles.d/link-podman-credentials.confRUN --mount=type=secret,id=creds,required=true cp /run/secrets/creds /usr/lib/container-auth.json && \    chmod 0600 /usr/lib/container-auth.json && \    ln -sr /usr/lib/container-auth.json /etc/ostree/auth.json# This configures the bootc update timer to run at a time that I consider acceptableRUN mkdir -p /etc/systemd/system/bootc-fetch-apply-updates.timer.d/COPY weekly-timer.conf /etc/systemd/system/bootc-fetch-apply-updates.timer.d/weekly.conf

    You can see from my comments what’s going on in the various blocks in that Containerfile. My intention is to use this as a base RHEL system, and then make more derivative images based on this one. For instance, if I wanted a web server, I would base a new Containerfile on this image, and then add in a RUN dnf install httpd. Its important to note that you shouldn’t be installing packages on these deployed systems after they are up and running. Those installations should happen in the image. If you install a package on a running image mode system, that change will not be carried into the next image update on your system unless you then incorporate it into your bootable container image. This means that you will need to plan ahead, but it also means that tracking package drift in the future is a thing of the past!

    In my case, the above mentioned CI automation, and this Containerfile worked in my Gitlab instance, with the above Runner modifications. The build job will take some time, a bootc image is much larger than the lightweight container images you are used to if you’ve been building application containers.

    But what about turning that into a VM?

    So I am covering but ONE method of getting this image deployed to an acutal system. You can use a myriad of different methods including Kickstart, writing an ISO, PXEBOOT, but what I am doing (because it suits my needs) is turning my image into a qcow2 file, which is a virtual disk image for use with Libvirt. If you’re familiar with Image Builder, the tool used to churn out tailored RHEL disk images, then this wont be a surprise. Theres a container that you can grab that just runs image builder, you give it a bootable container image, and it turns it into a qcow2! Ive cooked up a script that pulls my bootable container right from my registry, writes it to a qcow2, then immediately passes that to virt-install and builds a VM out of it!

    In my case, it also uses cloud-init to set its hostname, auto registers, and connects to insights, and then uses a slick new tech preview feature that auto-joins my lab’s IdM domain through insights! Here is my script:

    #!/bin/bashVMNAME=$1podman login --username my-gitlab-username -p 'gitlab-token' registry.undrground.orgpodman login --username my-redhat-login -p 'redhatpassword registry.redhat.iopodman pull registry.undrground.org/gangrif/rhel9-imagemode:latestsudo podman run \    --rm \    -it \    --privileged \    --pull=newer \    --security-opt label=type:unconfined_t \    -v $(pwd)/config.toml:/config.toml \    -v $(pwd)/output:/output \    -v /var/lib/containers/storage:/var/lib/containers/storage \    registry.redhat.io/rhel9/bootc-image-builder:latest \    --type qcow2 \    registry.undrground.org/gangrif/rhel9-imagemode:latestcat << EOF > $VMNAME.init#cloud-configfqdn: $VMNAME.idm.undrground.orgEOFmv $(pwd)/output/qcow2/disk.qcow2 /var/lib/libvirt/images/$VMNAME-disk0.qcow2virt-install \--name $VMNAME \--memory 4096 \--vcpus 2 \--os-variant rhel9-unknown \--import \--clock offset=localtime \--disk=/var/lib/libvirt/images/$VMNAME-disk0.qcow2 \-w bridge=bridge20-lab \--autoconsole none \--cloud-init user-data=$VMNAME.init

    This, of course, can be improved, but as a proof of concept it works great! Ive build a few test systems and so far its working flawlessly! Now, when I wans to update my systems, I update the gitlab repository with the changes, and let the CI run. Then once it completes, all I do is run this script to make a new vm! The running vms -should- (i have not tested this yet) get the updated bootble container image from the registry on saturday at 3AM, and reboot if new changes are applied.

    Wrapping it up

    This is, i think, the thing we’ve been promised for years. Ever since the advent of the cloud when we were told that we should stop treating our servers like pets, but never really given a clear definition of how. Image Mode makes that promise a reality. I’m certain I’ll be sharing more as my Image Mode journey progresses. Thanks for reading!

    #bootc #cloud #image #imageMode #linux #redHat #redHatEnterpriseLinux #rhel #services

    #bootc #cloud #image #imagemode #linux #redhat
  19. Royce Williams @[email protected] ·
    CW: New multi-implementation DNSSEC validation DoS vulnerabilities - CVE-2023-50387 ("KeyTrap"), CVE-2023-50868 (NSEC3 vuln)

    (living doc, updated regularly - if you prefer a low-edit post to boost, use infosec.exchange/@tychotithonu)

    Looks like DNS-OARC coordinated fixes in advance, but no centralized analysis at first other than the announcement from the team who discovered KeyTrap:

    Details may be still partially embargoed until patching ramps up.

    Analysis:

    DoS of all major DNSSEC-validating DNS resolvers (servers, but also maybe local resolvers like systemd's?) at the implementation level. Exploitation described as 'trivial'. Both are CVSS 7.5. DNS is a rich ransom target - but some resolver setups don't even validate DNSSEC.

    "In 2012 the vulnerability made its way into the implementation requirements for DNSSEC validation, standards RFC 6781 and RFC 6840" (per ATHENE)

    Per the Unbound writeup, both vulns require query to a malicious zone (which is probably not hard to trigger, for any DNSSEC-enabled client or server).

    Resolution: patch (recommended); disable DNSSEC validation (discouraged, but can buy you time / mitigate active DoS)

    Fixes mitigate the exhaustion by putting caps on validation activities. These caps appear to have been missing from most implementations.

    Details:

    Two DNSSEC DoS CVEs:

    CVE-2023-50387 ("KeyTrap"): "DNSSEC verification complexity can be exploited to exhaust CPU resources and stall DNS resolvers" (CVSS 7.5)
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    seclists.org/oss-sec/2024/q1/1

    (KeyTrap was discovered by ATHENE - their press release here has very important detail:
    athene-center.de/en/news/press)

    CVE-2023-50868: "NSEC3 closest encloser proof can exhaust CPU" (CVSS 7.5)
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    MITRE links (now populated):
    cve.mitre.org/cgi-bin/cvename.
    cve.mitre.org/cgi-bin/cvename.

    Vulmon queries:
    vulmon.com/searchpage?q=CVE-20
    vulmon.com/searchpage?q=CVE-20

    VulDB:
    vuldb.com/?id.253829

    Resolver status:

    BIND (patched - vuln since 2000?):
    fosstodon.org/@iscdotorg/11192
    kb.isc.org/docs/cve-2023-50387
    kb.isc.org/docs/cve-2023-50868
    seclists.org/oss-sec/2024/q1/1
    isc.org/blogs/2024-bind-securi
    (note: posts say "Versions prior to 9.11.37 were not assessed." but also have a range of affected versions starting at 9.0.0 - typo?)

    BIND tools:
    dig: no validation
    kdig: no validation
    delv: affected, patched

    dnsmasq (patched - 2.90 has fix):
    thekelleys.org.uk/dnsmasq/CHAN
    lists.thekelleys.org.uk/piperm

    Knot (patched in 5.7.1):
    knot-resolver.cz/2024-02-13-kn
    (kzonecheck also affected, patched?)

    ldns-verify-zone:
    affected per ATHENE paper

    OPNsense (patched):
    forum.opnsense.org/index.php?t

    pfSense:
    (Bundled Unbound: plan appears to be to make a separate package available for manual update?; BIND: optional package)
    forum.netgate.com/topic/186145
    redmine.pfsense.org/issues/152

    Pi-Hole (uses dnsmasq - patch available)
    patreon.com/posts/dnssec-fix-9
    pi-hole.net/blog/2024/02/13/fi

    PowerDNS (patched - all versions affected):
    blog.powerdns.com/2024/02/13/p
    github.com/PowerDNS/pdns/pull/
    github.com/PowerDNS/pdns/pull/
    seclists.org/oss-sec/2024/q1/1

    Stubby:
    [?]
    github.com/getdnsapi/stubby

    systemd.resolved:
    [?]

    Ubiquiti
    [?]

    Unbound (patched - vuln since Aug 2007):
    nlnetlabs.nl/news/2024/Feb/13/
    nlnetlabs.nl/downloads/unbound
    seclists.org/oss-sec/2024/q1/1

    Library status:*
    dnspython (GitHub patched):
    affected per ATHENE paper
    github.com/rthalley/dnspython/

    getdns (used by stubby - no patched release?):
    affected per ATHENE paper
    getdnsapi.net/releases/

    ldns (not yet patched?):
    affected per ATHENE paper
    github.com/NLnetLabs/ldns

    libunbound (used by Unbound):
    affected per ATHENE paper
    no recent patches?
    github.com/NLnetLabs/unbound/t

    Cloud status:

    Akamai:
    akamai.com/blog/security/dns-e

    Cloudflare:
    blog.cloudflare.com/remediatin

    Google DNS:
    (stated as patched in Register and SecurityWeek articles)
    [?]

    NextDNS (patched per forum reply):
    help.nextdns.io/t/h7yxwc5/does

    OS status:

    Debian:
    BIND:
    lists.debian.org/debian-securi
    pdns-recursor:
    lists.debian.org/debian-securi
    Unbound:
    lists.debian.org/debian-securi

    Fedora:
    bodhi.fedoraproject.org/update

    FreeBSD:
    cgit.freebsd.org/ports/commit/

    Gentoo:
    bugs.gentoo.org/show_bug.cgi?i

    Mageia:
    bugs.mageia.org/show_bug.cgi?i

    OpenBSD (unwind):

    Red Hat:
    bugzilla.redhat.com/show_bug.c
    access.redhat.com/security/cve
    access.redhat.com/security/cve

    SUSE:
    suse.com/security/cve/CVE-2023
    bugzilla.suse.com/show_bug.cgi

    Ubuntu:
    ubuntu.com/security/CVE-2023-5
    ubuntu.com/security/CVE-2023-5
    ubuntu.com/security/notices/US

    Windows (Server, DNS Role):
    msrc.microsoft.com/update-guid

    Package status:

    BIND:
    repology.org/project/bind/vers

    dnsmasq:
    repology.org/project/dnsmasq/v

    Unbound:
    repology.org/project/unbound/v

    GitHub:
    github.com/advisories/GHSA-845

    Go (Knot module?)
    github.com/golang/vulndb/issue

    Non-coverage: (no mentions known yet)

    AWS :
    [?]

    Azure (Microsoft Server DNS?):
    [?]

    Cisco Umbrella:
    umbrella.cisco.com/blog [?]

    CoreDNS:
    coredns.io/blog/ [?]

    Infoblox:
    blogs.infoblox.com/ [?]

    Quad9 DNS:
    quad9.net/news/blog/ [?]

    News/Press/Forums

    pducklin.com/2024/02/18/the-sc

    theregister.com/2024/02/13/dns

    securityweek.com/keytrap-dns-a

    bleepingcomputer.com/news/secu

    news.ycombinator.com/item?id=3

    darkreading.com/cloud-security

    Detection/Validation:

    Check to see if a server is doing DNSSEC validation (if not an open recursive resolver, you may need to query a zone the server is authoritative for):

    # zone signed, server DNSSEC-enabled:
    $ delv example.net @8.8.8.8
    ; fully validated
    example.net.            4437    IN      A       93.184.216.34
    example.net.            4437    IN      RRSIG   A 13 2 86400 20240225232039 20240204162038 18113 example.net. 94G2PRXins1G9ntfklvCq2mvcgqjB0z9FqQXp77lD/wXR4J3D67ceih1 yNgsYYqlIAOoWKXUekux6Zq9aIwszQ==

    # zone unsigned, server DNSSEC-enabled:
    $ delv google.com @8.8.8.8
    ; unsigned answer
    google.com.             100     IN      A       142.250.69.206

    Tenable:
    tenable.com/plugins/pipeline/i

    Snyk:
    security.snyk.io/vuln/SNYK-UNM

    Exploits:

    (multiple sources describe as "trivial")

    github.com/knqyf263/CVE-2023-5 (not tested)

    #keytrap #nsec3 #CVE202350387 #CVE202350868 #CVE_2023_50387 #CVE_2023_50868
    #dns #dnssec

    #keytrap #nsec3 #cve202350387 #cve202350868 #cve_2023_50387 #cve_2023_50868
  20. Andreas Moor @[email protected] ·

    Forgejo: Die leichte Git-Forge für Sysadmins und DevOps

    Warum du Forgejo kennen solltest Forgejo ist eine selbst gehostete, leichte Software-Forge, die auf Git basiert und dir als Sysadmin oder DevOps-Engineer eine vollständige Plattform für Code-Hosting, Issue-Tracking und CI/CD bietet. Du solltest sie kennen, weil sie ressourcenschonend läuft, 100% Free Software ist und Projekte wie Fedora sie für moderne, community-getriebene Workflows einsetzen. In der Sysadministration hilft sie dir, zentrale Repositories zu managen, ohne auf […]

    andreas-moor.de/forgejo-die-le

    #cicd #devops #fedoraproject #forgejo #gitforge #giteafork
  21. Michael J Burgess @[email protected] ·

    Fedora Linux 42 Nears End of Support: Why You Should Upgrade Now

    Fedora Linux 42 support ends soon. Learn what this means, why upgrading matters, and how Fedora 43 keeps your Linux system secure and current.

    beitmenotyou.online/fedora-lin

    #fedora43 #fedoraendoflife #fedoralinux42 #fedoraupgrade #gnulinux #linuxdesktop
  22. NERDS.xyz – Real Tech News for Real Nerds [Unofficial] @[email protected] ·

    Fedora Linux finally says yes to AI contributions

    web.brid.gy/r/https://nerds.xy

    #artificialintelligence #linux #ai #aiassistedcontributions #aoifemoloney #communitypolicy
  23. heise online (inoffiziell) @[email protected] ·
    heise+ | Fedora 33 im Test: Neue Vorgaben mit Btrfs, Systemd-Resolved und zRAM

    Die Linux-Distribution Fedora stellt einige Weichen neu: Die Variante "Fedora IoT" wurde zu einer "Offiziellen Ausgabe" aufgewertet.
    Fedora 33 im Test: Neue Vorgaben mit Btrfs, Systemd-Resolved und zRAM
    #redhat #btrfs #linuxundopensource #fedoraiot #fedora33