Re: [Linux-PowerEdge] CVE-2020-5344
You can use racadm fwupdate with the raw iDRAC firmware image (as well as CMC raw firmware image) however the newer method racadm update works with the Dell Update Package for iDRAC and any other DUP file without the need to extract it first and should work when specifying a local path from the client. Josh Moore Sr. Principal Engineer, Compute & Solutions Support Team, HPC SME Dell EMC | Infrastructure Solutions Support josh.mo...@dell.com How am I doing? Please contact my manager brandon.wh...@dell.com to provide feedback. Thanks! Please consider the environment before printing this email. Confidentiality Notice: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential or proprietary information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, immediately contact the sender by reply e-mail and destroy all copies of the original message. -Original Message- From: linux-poweredge-bounces-Lists On Behalf Of isdtor Sent: Friday, April 10, 2020 8:53 AM To: linux-poweredge-Lists Subject: Re: [Linux-PowerEdge] CVE-2020-5344 [EXTERNAL EMAIL] Sorry, I just replied to the wrong message. Yes, racadm works, but it's fwupdate, not update if the file is the actual firmware image. And providing the file on the client does not seem to be supported, but it works with tftp. josh.mo...@dell.com writes: > In this situation using racadm might be an option to consider? Scripted to > either run locally on each target host with racadm installed on each, with > the Dell Update Package centrally accessible by hosts or copied to each host > or using racadm remote from a management workstation that can reach the iDRAC > network. > > Ex. > racadm update -f /path/to/file > racadm -r -u root -p update -f > /path/to/file > > In the first example /path/to/file is relative to the local target > host In the second example /path/to/file is relative to the management > workstation > > Josh Moore > Sr. Principal Engineer, Compute & Solutions Support Team, HPC SME Dell > EMC | Infrastructure Solutions Support josh.mo...@dell.com > > How am I doing? Please contact my manager brandon.wh...@dell.com to > provide feedback. Thanks! > > Please consider the environment before printing this email. > > Confidentiality Notice: This email message, including any attachments, is for > the sole use of the intended recipient(s) and may contain confidential or > proprietary information. Any unauthorized review, use, disclosure or > distribution is prohibited. If you are not the intended recipient, > immediately contact the sender by reply e-mail and destroy all copies of the > original message. > > -Original Message- > From: linux-poweredge-bounces-Lists > On Behalf Of isdtor > Sent: Thursday, April 9, 2020 11:49 AM > To: linux-poweredge-Lists > Subject: [Linux-PowerEdge] CVE-2020-5344 > > > [EXTERNAL EMAIL] > > > Hi list, > > Can someone from Dell please explain how we can deploy security updates to > machines where the OS is no longer supported, such as RHEL/CentOS 6? The > upgrade below was downloaded from Dell's support web site, "Operating system" > selected is "Red Hat(R) Enterprise Linux 6". And quite obviously, this > doesn't work on RHEL 6 because glibc is version 2.12. > > [root@host tmp]# > ./iDRAC-with-Lifecycle-Controller_Firmware_KTC95_LN_4.10.10.10_A00.BIN -q > Collecting inventory... > ./bmcfwul: /lib64/libc.so.6: version `GLIBC_2.14' not found (required by > ./bmcfwul) . > Inventory collection failed. > [root@host tmp]# > > I am aware I can extract the payload and upload to the iDRAC directly, but > this is not practical when hundreds of servers need upgrading. Equally, the > install from update CD method is also unworkable as it requires reboots, > often in remote locations. > > Is there a solution? > > ___ > Linux-PowerEdge mailing list > Linux-PowerEdge@dell.com > https://lists.us.dell.com/mailman/listinfo/linux-poweredge > sh: tnef: command not found ___ Linux-PowerEdge mailing list Linux-PowerEdge@dell.com https://lists.us.dell.com/mailman/listinfo/linux-poweredge ___ Linux-PowerEdge mailing list Linux-PowerEdge@dell.com https://lists.us.dell.com/mailman/listinfo/linux-poweredge
Re: [Linux-PowerEdge] CVE-2020-5344
[EXTERNAL EMAIL] Sorry, I just replied to the wrong message. Yes, racadm works, but it's fwupdate, not update if the file is the actual firmware image. And providing the file on the client does not seem to be supported, but it works with tftp. josh.mo...@dell.com writes: > In this situation using racadm might be an option to consider? Scripted to > either run locally on each target host with racadm installed on each, with > the Dell Update Package centrally accessible by hosts or copied to each host > or using racadm remote from a management workstation that can reach the iDRAC > network. > > Ex. > racadm update -f /path/to/file > racadm -r -u root -p update -f /path/to/file > > In the first example /path/to/file is relative to the local target host > In the second example /path/to/file is relative to the management workstation > > Josh Moore > Sr. Principal Engineer, Compute & Solutions Support Team, HPC SME > Dell EMC | Infrastructure Solutions Support > josh.mo...@dell.com > > How am I doing? Please contact my manager brandon.wh...@dell.com to provide > feedback. Thanks! > > Please consider the environment before printing this email. > > Confidentiality Notice: This email message, including any attachments, is for > the sole use of the intended recipient(s) and may contain confidential or > proprietary information. Any unauthorized review, use, disclosure or > distribution is prohibited. If you are not the intended recipient, > immediately contact the sender by reply e-mail and destroy all copies of the > original message. > > -Original Message- > From: linux-poweredge-bounces-Lists > On Behalf Of isdtor > Sent: Thursday, April 9, 2020 11:49 AM > To: linux-poweredge-Lists > Subject: [Linux-PowerEdge] CVE-2020-5344 > > > [EXTERNAL EMAIL] > > > Hi list, > > Can someone from Dell please explain how we can deploy security updates to > machines where the OS is no longer supported, such as RHEL/CentOS 6? The > upgrade below was downloaded from Dell's support web site, "Operating system" > selected is "Red Hat(R) Enterprise Linux 6". And quite obviously, this > doesn't work on RHEL 6 because glibc is version 2.12. > > [root@host tmp]# > ./iDRAC-with-Lifecycle-Controller_Firmware_KTC95_LN_4.10.10.10_A00.BIN -q > Collecting inventory... > ./bmcfwul: /lib64/libc.so.6: version `GLIBC_2.14' not found (required by > ./bmcfwul) . > Inventory collection failed. > [root@host tmp]# > > I am aware I can extract the payload and upload to the iDRAC directly, but > this is not practical when hundreds of servers need upgrading. Equally, the > install from update CD method is also unworkable as it requires reboots, > often in remote locations. > > Is there a solution? > > ___ > Linux-PowerEdge mailing list > Linux-PowerEdge@dell.com > https://lists.us.dell.com/mailman/listinfo/linux-poweredge > sh: tnef: command not found ___ Linux-PowerEdge mailing list Linux-PowerEdge@dell.com https://lists.us.dell.com/mailman/listinfo/linux-poweredge
Re: [Linux-PowerEdge] CVE-2020-5344
[EXTERNAL EMAIL] bmcfwul seems to be the only executable in the package that needs a newer glibc, if ldd is anything to go by. Making it a static executable might do the job, and never to be looked at again. josh.mo...@dell.com writes: > In this situation using racadm might be an option to consider? Scripted to > either run locally on each target host with racadm installed on each, with > the Dell Update Package centrally accessible by hosts or copied to each host > or using racadm remote from a management workstation that can reach the iDRAC > network. > > Ex. > racadm update -f /path/to/file > racadm -r -u root -p update -f /path/to/file > > In the first example /path/to/file is relative to the local target host > In the second example /path/to/file is relative to the management workstation > > Josh Moore > Sr. Principal Engineer, Compute & Solutions Support Team, HPC SME > Dell EMC | Infrastructure Solutions Support > josh.mo...@dell.com > > How am I doing? Please contact my manager brandon.wh...@dell.com to provide > feedback. Thanks! > > Please consider the environment before printing this email. > > Confidentiality Notice: This email message, including any attachments, is for > the sole use of the intended recipient(s) and may contain confidential or > proprietary information. Any unauthorized review, use, disclosure or > distribution is prohibited. If you are not the intended recipient, > immediately contact the sender by reply e-mail and destroy all copies of the > original message. > > -Original Message- > From: linux-poweredge-bounces-Lists > On Behalf Of isdtor > Sent: Thursday, April 9, 2020 11:49 AM > To: linux-poweredge-Lists > Subject: [Linux-PowerEdge] CVE-2020-5344 > > > [EXTERNAL EMAIL] > > > Hi list, > > Can someone from Dell please explain how we can deploy security updates to > machines where the OS is no longer supported, such as RHEL/CentOS 6? The > upgrade below was downloaded from Dell's support web site, "Operating system" > selected is "Red Hat(R) Enterprise Linux 6". And quite obviously, this > doesn't work on RHEL 6 because glibc is version 2.12. > > [root@host tmp]# > ./iDRAC-with-Lifecycle-Controller_Firmware_KTC95_LN_4.10.10.10_A00.BIN -q > Collecting inventory... > ./bmcfwul: /lib64/libc.so.6: version `GLIBC_2.14' not found (required by > ./bmcfwul) . > Inventory collection failed. > [root@host tmp]# > > I am aware I can extract the payload and upload to the iDRAC directly, but > this is not practical when hundreds of servers need upgrading. Equally, the > install from update CD method is also unworkable as it requires reboots, > often in remote locations. > > Is there a solution? > > ___ > Linux-PowerEdge mailing list > Linux-PowerEdge@dell.com > https://lists.us.dell.com/mailman/listinfo/linux-poweredge > sh: tnef: command not found ___ Linux-PowerEdge mailing list Linux-PowerEdge@dell.com https://lists.us.dell.com/mailman/listinfo/linux-poweredge
Re: [Linux-PowerEdge] CVE-2020-5344
[EXTERNAL EMAIL] Hi, BTW, I use this type of chroot solution to deploy updates which only target other Linux OS versions (e.g. RHEL6) on servers which run Debian 10 and Ubuntu LTS. This will generally work, but some updates which rely on a specific kernel version (e.g. because they ship use "out-of-tree" kernel modules) may still fail. In some cases if the "out-of-tree" kernel modules have since been "upstreamed" and included in the kernel you are running on the server, you can instead just use modprobe to load these kernel modules (e.g. "dell_rbu") from outside the chroot, before running the update. I use the Debian "schroot" tool (which takes care of bind-mounting /proc /dev /sys /home etc. - schroot is also availabe for Redhat I believe), and pre-generated root archives from https://images.linuxcontainers.org/ HTH, Tim. On 09/04/2020 21:37, Yannick PALANQUE wrote: > [EXTERNAL EMAIL] > > Hello, > > Le 09/04/2020 22:12, miguel.cha...@dell.com a écrit : >> Is there a solution? > > I think maybe running the DUP from a chrooted installation of CentOS 7 > could work? (you should copy a big tar.gz or something like that) > > But it must be like a using a truck to move a cup of tea one meter away... > ___ > Linux-PowerEdge mailing list > Linux-PowerEdge@dell.com > https://lists.us.dell.com/mailman/listinfo/linux-poweredge -- South East Open Source Solutions Limited Registered in England and Wales with company number 06134732. Registered Office: 2 Powell Gardens, Redhill, Surrey, RH1 1TQ VAT number: 900 6633 53 http://seoss.co.uk/ +44-(0)1273-808309 ___ Linux-PowerEdge mailing list Linux-PowerEdge@dell.com https://lists.us.dell.com/mailman/listinfo/linux-poweredge
Re: [Linux-PowerEdge] CVE-2020-5344
[EXTERNAL EMAIL] Hello, Le 09/04/2020 22:12, miguel.cha...@dell.com a écrit : > Is there a solution? I think maybe running the DUP from a chrooted installation of CentOS 7 could work? (you should copy a big tar.gz or something like that) But it must be like a using a truck to move a cup of tea one meter away... ___ Linux-PowerEdge mailing list Linux-PowerEdge@dell.com https://lists.us.dell.com/mailman/listinfo/linux-poweredge
Re: [Linux-PowerEdge] CVE-2020-5344
Dell Customer Communication - Confidential Good afternoon, A quick note on this is that feedback was forwarded to our engineering team. It looks like at least for this DRAC generation, tentatively they are looking to add back support for RHEL 6 on FW 4.20.20 For now, the currrent work arounds are what you mentioned in your email. There was also feedback provided for the display filter for the update package. If additional information is needed, please reach out to our Dell Support department. Thanks! Regards, Miguel Chavez -Original Message- From: linux-poweredge-bounces-Lists On Behalf Of isdtor Sent: Thursday, April 9, 2020 11:49 AM To: linux-poweredge-Lists Subject: [Linux-PowerEdge] CVE-2020-5344 [EXTERNAL EMAIL] Hi list, Can someone from Dell please explain how we can deploy security updates to machines where the OS is no longer supported, such as RHEL/CentOS 6? The upgrade below was downloaded from Dell's support web site, "Operating system" selected is "Red Hat(R) Enterprise Linux 6". And quite obviously, this doesn't work on RHEL 6 because glibc is version 2.12. [root@host tmp]# ./iDRAC-with-Lifecycle-Controller_Firmware_KTC95_LN_4.10.10.10_A00.BIN -q Collecting inventory... ./bmcfwul: /lib64/libc.so.6: version `GLIBC_2.14' not found (required by ./bmcfwul) . Inventory collection failed. [root@host tmp]# I am aware I can extract the payload and upload to the iDRAC directly, but this is not practical when hundreds of servers need upgrading. Equally, the install from update CD method is also unworkable as it requires reboots, often in remote locations. Is there a solution? ___ Linux-PowerEdge mailing list Linux-PowerEdge@dell.com https://lists.us.dell.com/mailman/listinfo/linux-poweredge ___ Linux-PowerEdge mailing list Linux-PowerEdge@dell.com https://lists.us.dell.com/mailman/listinfo/linux-poweredge
[Linux-PowerEdge] CVE-2020-5344
[EXTERNAL EMAIL] Hi list, Can someone from Dell please explain how we can deploy security updates to machines where the OS is no longer supported, such as RHEL/CentOS 6? The upgrade below was downloaded from Dell's support web site, "Operating system" selected is "Red Hat(R) Enterprise Linux 6". And quite obviously, this doesn't work on RHEL 6 because glibc is version 2.12. [root@host tmp]# ./iDRAC-with-Lifecycle-Controller_Firmware_KTC95_LN_4.10.10.10_A00.BIN -q Collecting inventory... ./bmcfwul: /lib64/libc.so.6: version `GLIBC_2.14' not found (required by ./bmcfwul) . Inventory collection failed. [root@host tmp]# I am aware I can extract the payload and upload to the iDRAC directly, but this is not practical when hundreds of servers need upgrading. Equally, the install from update CD method is also unworkable as it requires reboots, often in remote locations. Is there a solution? ___ Linux-PowerEdge mailing list Linux-PowerEdge@dell.com https://lists.us.dell.com/mailman/listinfo/linux-poweredge