[CentOS] Centos7 and old Bind bug
This is my new Centos7 DNS server. In logwatch I am seeing: **Unmatched Entries** dispatch 0xb4378008: open_socket(0.0.0.0#5546) -> permission denied: continuing: 1 Time(s) dispatch 0xb4463008: open_socket(::#1935) -> permission denied: continuing: 1 Time(s) dispatch 0xb4464440: open_socket(::#8554) -> permission denied: continuing: 1 Time(s) dispatch 0xb4464440: open_socket(::#8614) -> permission denied: continuing: 1 Time(s) dispatch 0xb4465008: open_socket(::#1935) -> permission denied: continuing: 1 Time(s) dispatch 0xb4465440: open_socket(0.0.0.0#4321) -> permission denied: continuing: 1 Time(s) dispatch 0xb4465878: open_socket(0.0.0.0#2605) -> permission denied: continuing: 1 Time(s) dispatch 0xb4465878: open_socket(0.0.0.0#) -> permission denied: continuing: 1 Time(s) dispatch 0xb4465878: open_socket(0.0.0.0#8611) -> permission denied: continuing: 1 Time(s) dispatch 0xb4466008: open_socket(0.0.0.0#1935) -> permission denied: continuing: 1 Time(s) dispatch 0xb4466008: open_socket(0.0.0.0#5546) -> permission denied: continuing: 1 Time(s) dispatch 0xb4466008: open_socket(0.0.0.0#8611) -> permission denied: continuing: 1 Time(s) dispatch 0xb4466440: open_socket(0.0.0.0#2605) -> permission denied: continuing: 1 Time(s) dispatch 0xb4466440: open_socket(0.0.0.0#) -> permission denied: continuing: 1 Time(s) dispatch 0xb4466878: open_socket(0.0.0.0#1935) -> permission denied: continuing: 1 Time(s) dispatch 0xb4466878: open_socket(0.0.0.0#8610) -> permission denied: continuing: 1 Time(s) dispatch 0xb4467440: open_socket(0.0.0.0#8613) -> permission denied: continuing: 1 Time(s) dispatch 0xb4467440: open_socket(0.0.0.0#8614) -> permission denied: continuing: 1 Time(s) etc. This seems to be bug 1103439 which was 'fixed' for Centos6. What should I do about this? Is there a SELinux policy to apply or should I the avoid upd-ports option in Bind? thank you ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Wich web browser on CentOS6 ?
> You can also try the mainline version of Pale Moon if you want 64-bit. > http://linux.palemoon.org/ It uses gtk2, but I don't know if it's > compatible with other old libraries that CentOS 6 uses. My build goes > out of its way to be compatible with older libraries. I did once build pm on CentOS6 as poc, but after switched to the distributed binaries. 26.x is the end of line for CentOS6, and I haven't tried building 27.x. Maybe I'll try that, addressing the library situation with custom or static versions. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Wich web browser on CentOS6 ?
Alice Wonder a écrit : On 02/10/2017 12:34 PM, James B. Byrne wrote: On Fri, February 10, 2017 06:26, Patrick Begou wrote: Hello I have more and more troubles using firefox in professional environment with CentOS6. The latest version is 45.7.0 But I can't use it anymore to access some old server hardware (IDRAC7 of DELL C6100) because of "/SSL_ERROR_WEAK_SERVER_CERT_KEY/". I had to install an old Firefox32 version to administrate these servers. Today I upgrade the firmware of 2 DELL switch and now Firefox cannot connect to them anymore saying: /An error occurred during a connection to xxx.xxx.xxx.xxx. The server rejected the handshake because the client downgraded to a lower TLS version than the server supports// //SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT /Is there a CentOS6 recommended web browser allowing continuous connections to olds and new base level (and local) system administration services ? This situation arises because older, dare I say old, equipment released with embedded software and using http/https as the administrative front end were shipped with minimally compliant x-509 certificates. Often self-signed with 1kb keys and md5 signature hashes. Not to mention many are past their expiry dates. However, given the revelations of state sanctioned snooping on network traffic browsers are being pushed to implement increased compliance checking for the overall security of users. Firefox is simply implementing what various 'authorities' are recommending as secure practices with respect to authentication using pki and x-509 certificates. The present situation is a PIA. It could be a lot more user-friendly if FF so chose. They could have easily allowed one to turn off these advanced compliance checks for specific IP and DNS addresses so that the intended benefit remained but the interference with existing infrastructure was minimised. But, FF is on its own chosen path to oblivion and the idea of compromise is totally absent from their project plan. IMHO FireFox is doing the right thing. Compromises in policy is how system compromises often happen. If you can change the setting to be more forgiving of certain bad vendors, then so can malware. In this situation the working solution is the worst one: disabling https and re-enabling http on these devices. What we really need to do is demand better from the manufacturers of products we use in a "professional environment" - and it is extremely important we demand better from them now, during the dawn of IoT. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Licence text questions
On Sat, Feb 11, 2017 at 08:06:49AM -0500, Jonathan Billings wrote > Wouldn't this be easier done as a mock chroot? I realize you're > not building RPMs, but you could use the chroot for building any > software, and on any arbitrary CentOS or Fedora system. 1) Not everybody runs Fedora/Redhat/CentOS 2) The builds I'm doing are targetted at distros, like Puppy linux, which use older libs with backported security fixes. Pale Moon built in a chroot or mock chroot in CentOS 6.8 and up, let alone any modern distro, does not run on "Lucid Puppy" linux. That's because it'll expect the newer libs on the target machine. This is why I have to provide the entire old CentOS 6.5 environment complete with older libs to build against. -- Walter Dnes ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Wich web browser on CentOS6 ?
On Sat, Feb 11, 2017 at 11:37:09AM +0100, Patrick Bégou wrote > Yes David, I'm using a release 32 of Firefox to reach my olds C6100 > IDRAC7 interface. > The problem is for latest Firefox versions as they require libgtk-3 not > available in Centos6/RHEL6 distribution. > > Today I use a very very bad solution to reach my switch with latest > firmware version from the latest Firefox available in CentOS: I disable > https and use http > Even if it is on a private network, in a dedicated vlan behind a > firewall... I don't like this. Hello; Disclosure: I'm the person who does the Pale Moon (Firefox fork) SSE contributed build for linux. Note: this build is 32-bit only. See https://forum.palemoon.org/viewtopic.php?f=40&t=13530&start=20#p105849 I subscribe to this list because I use a CentOS 6.5 chroot to do the builds, and I have occasional questions. SSE-only machines (i.e. no SSE2 instructions) are old Pentium 3 and similar. The SSE build will work on newer machines, but may be a bit slower than the standard build, because it does not use the SSE2 instruction set. Older machines often run distros like Puppy linux which use older glibc, gtk2, etc. Puppy linux does have security fixes backported. Because Pale Moon SSE version is built in CentOS 6.5, it should work in 32-bit CentOS. You can also try the mainline version of Pale Moon if you want 64-bit. http://linux.palemoon.org/ It uses gtk2, but I don't know if it's compatible with other old libraries that CentOS 6 uses. My build goes out of its way to be compatible with older libraries. -- Walter Dnes ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Licence text questions
On Feb 10, 2017, at 9:32 PM, Walter Dnes wrote: > Other people are interested in doing the same. My choices are... > * explain how to install CentOS 6.5, which options to choose, turn >off boot-to-gui, and how to download and build newer gcc, yasm, >and python-2.7 to duplicate my build environment, etc, etc. > * or send out a 1.3 gigabyte centos65.tar.xz and give simple >instructions to extract the archive, copy over /etc/resolv.conf, >bind-mount /dev and /proc, chroot into the directory, and get >going right away. Wouldn’t this be easier done as a mock chroot? I realize you’re not building RPMs, but you could use the chroot for building any software, and on any arbitrary CentOS or Fedora system. -- Jonathan Billings ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Wich web browser on CentOS6 ?
Yes David, I'm using a release 32 of Firefox to reach my olds C6100 IDRAC7 interface. The problem is for latest Firefox versions as they require libgtk-3 not available in Centos6/RHEL6 distribution. Today I use a very very bad solution to reach my switch with latest firmware version from the latest Firefox available in CentOS: I disable https and use http Even if it is on a private network, in a dedicated vlan behind a firewall... I don't like this. Patrick David Nelson a écrit : On 2/10/17 3:26 AM, Patrick Begou wrote: /Is there a CentOS6 recommended web browser allowing continuous connections to olds and new base level (and local) system administration services ? FYI you can download any previous release of Firefox from the URL below, and it will run right out of its own directory without being 'installed' per se. So you could find one that is compatible and keep it separate from the one you use for regular browsing. You'd probably want to run it as a different user on your box, and/or a separate profile. http://ftp.mozilla.org/pub/firefox/releases/ Or if you don't want to worry about which user and profile you're in, you could try an equivalent release of SeaMonkey. http://ftp.mozilla.org/pub/seamonkey/releases/ Either way it would enable you to have a more secure, up-to-date browser for regular use while also having one that is compatible with the other systems you need to use. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos