Re: Any 7 rumors?

2014-04-08 Thread Eero Volotinen 
>
> Is SL not PCI compliant because it is not a commercial
> effort?  I thought SL got all the patches the RHEL
> got?  Please elucidate.
>
>
There is no PCI requirement(s) to use commercial OS. Please read the
requirements instead of FUD!

--
Eero

Re: Any 7 rumors?

2014-04-08 Thread ToddAndMargo 

On Apr 8, 2014 11:32 PM, "ToddAndMargo" mailto:toddandma...@zoho.com>> wrote:

On 04/08/2014 08:25 PM, Paul Robert Marino wrote:

Well frankly if you need PCI-DSS compliance pay for RHEL. Its
honestly
not that expensive for the few systems that really require it.
Only  the
system's that handle credit cards supposedly require it and in most
ecommerce companies that's probably 2 to 4 system's so what's the
problem wit paying $750 a year each for those few systems to not
have to
deal with the problems and giving the stock investors a warm and
fuzzy
feeling. Your time spent on it costs them more money and ti
reduces all
the stress on every one if you buy compliance on the cheap.


Hi Paul,

Is SL not PCI compliant because it is not a commercial
effort?  I thought SL got all the patches the RHEL
got?  Please elucidate.

Oh, and it is a sole proprietor and CHEAP doesn't
begin to describe him.  (Nice guy though.)

Many thanks,
-T





On 04/08/2014 09:24 PM, Jamie Duncan wrote:

PCI compliance is a lot more than just the code. Red Hat goes through
multiple processes with these governing bodies to certify RHEL. That
doesn't pass down to downstream distributions.



Hi Jamie,

Yikes.  That I did not realize.  Thank you for the
heads up!

-T

Re: Any 7 rumors?

2014-04-08 Thread Jamie Duncan 
PCI compliance is a lot more than just the code. Red Hat goes through
multiple processes with these governing bodies to certify RHEL. That
doesn't pass down to downstream distributions.
On Apr 8, 2014 11:32 PM, "ToddAndMargo"  wrote:

> On 04/08/2014 08:25 PM, Paul Robert Marino wrote:
>
>> Well frankly if you need PCI-DSS compliance pay for RHEL. Its honestly
>> not that expensive for the few systems that really require it. Only  the
>> system's that handle credit cards supposedly require it and in most
>> ecommerce companies that's probably 2 to 4 system's so what's the
>> problem wit paying $750 a year each for those few systems to not have to
>> deal with the problems and giving the stock investors a warm and fuzzy
>> feeling. Your time spent on it costs them more money and ti reduces all
>> the stress on every one if you buy compliance on the cheap.
>>
>
> Hi Paul,
>
> Is SL not PCI compliant because it is not a commercial
> effort?  I thought SL got all the patches the RHEL
> got?  Please elucidate.
>
> Oh, and it is a sole proprietor and CHEAP doesn't
> begin to describe him.  (Nice guy though.)
>
> Many thanks,
> -T
>
> --
> ~~
> Computers are like air conditioners.
> They malfunction when you open windows
> ~~
>

Re: Any 7 rumors?

2014-04-08 Thread ToddAndMargo 

On 04/08/2014 08:25 PM, Paul Robert Marino wrote:

Well frankly if you need PCI-DSS compliance pay for RHEL. Its honestly
not that expensive for the few systems that really require it. Only  the
system's that handle credit cards supposedly require it and in most
ecommerce companies that's probably 2 to 4 system's so what's the
problem wit paying $750 a year each for those few systems to not have to
deal with the problems and giving the stock investors a warm and fuzzy
feeling. Your time spent on it costs them more money and ti reduces all
the stress on every one if you buy compliance on the cheap.


Hi Paul,

Is SL not PCI compliant because it is not a commercial
effort?  I thought SL got all the patches the RHEL
got?  Please elucidate.

Oh, and it is a sole proprietor and CHEAP doesn't
begin to describe him.  (Nice guy though.)

Many thanks,
-T

--
~~
Computers are like air conditioners.
They malfunction when you open windows
~~

Re: Any 7 rumors?

2014-04-08 Thread Paul Robert Marino 
Well frankly if you need PCI-DSS compliance pay for RHEL. Its honestly not that expensive for the few systems that really require it. Only  the system's that handle credit cards supposedly require it and in most ecommerce companies that's probably 2 to 4 system's so what's the problem wit paying $750 a year each for those few systems to not have to deal with the problems and giving the stock investors a warm and fuzzy feeling. Your time spent on it costs them more money and ti reduces all the stress on every one if you buy compliance on the cheap.-- Sent from my HP Pre3On Apr 8, 2014 22:55, Nico Kadel-Garcia  wrote: On Tue, Apr 8, 2014 at 10:14 PM, ToddAndMargo  wrote:
> Hi All,
>
> I have a customer who is going to have to upgrade a
> whole pail of stuff for PCI compliance (credit card
> security).
>
> Part of what he is going to have upgrade is his old
> CentOS 5.x server (it is too underpowered to handle
> his new software along with the addition drag
> caused by adding File Integrity Monitoring
> [FIM] Software).
>
> Any rumors as to when EL 7 will be out?
>
> Many thanks,
> -T

Shortly after our favorite upstream vendor publishes it? I don't see
the relevance though. If he needs to update CentOS 5, update it to SL
6 or CentOS 6. Why wait for RHE 7 to update? It's going to be major
cluster futz with the the switch tu systemd from init scripts, with
"/bin" being migrated to "/usr/bin", and the other major changes. It
will be much simpler, and much, much safer, to update to CentOS 6 or
SL 6 first!

Re: Any 7 rumors?

2014-04-08 Thread Nico Kadel-Garcia 
On Tue, Apr 8, 2014 at 10:14 PM, ToddAndMargo  wrote:
> Hi All,
>
> I have a customer who is going to have to upgrade a
> whole pail of stuff for PCI compliance (credit card
> security).
>
> Part of what he is going to have upgrade is his old
> CentOS 5.x server (it is too underpowered to handle
> his new software along with the addition drag
> caused by adding File Integrity Monitoring
> [FIM] Software).
>
> Any rumors as to when EL 7 will be out?
>
> Many thanks,
> -T

Shortly after our favorite upstream vendor publishes it? I don't see
the relevance though. If he needs to update CentOS 5, update it to SL
6 or CentOS 6. Why wait for RHE 7 to update? It's going to be major
cluster futz with the the switch tu systemd from init scripts, with
"/bin" being migrated to "/usr/bin", and the other major changes. It
will be much simpler, and much, much safer, to update to CentOS 6 or
SL 6 first!

Re: Any 7 rumors?

2014-04-08 Thread Jamie Duncan 
lots of rumors. ;)


On Tue, Apr 8, 2014 at 10:14 PM, ToddAndMargo  wrote:

> Hi All,
>
> I have a customer who is going to have to upgrade a
> whole pail of stuff for PCI compliance (credit card
> security).
>
> Part of what he is going to have upgrade is his old
> CentOS 5.x server (it is too underpowered to handle
> his new software along with the addition drag
> caused by adding File Integrity Monitoring
> [FIM] Software).
>
> Any rumors as to when EL 7 will be out?
>
> Many thanks,
> -T
>
> --
> ~~
> Computers are like air conditioners.
> They malfunction when you open windows
> ~~
>



-- 
Thanks,

Jamie Duncan
@jamieeduncan

Any 7 rumors?

2014-04-08 Thread ToddAndMargo 

Hi All,

I have a customer who is going to have to upgrade a
whole pail of stuff for PCI compliance (credit card
security).

Part of what he is going to have upgrade is his old
CentOS 5.x server (it is too underpowered to handle
his new software along with the addition drag
caused by adding File Integrity Monitoring
[FIM] Software).

Any rumors as to when EL 7 will be out?

Many thanks,
-T

--
~~
Computers are like air conditioners.
They malfunction when you open windows
~~

Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread P. Larry Nelson 

In case this helps, here's what our campus security folks sent out this morning.

==

Mitigation:
"Affected users should upgrade to OpenSSL 1.0.1g. Users unable to
immediately upgrade can alternatively recompile OpenSSL with
- -DOPENSSL_NO_HEARTBEATS."

Quick remote test for potential vulnerability (from linux):
echo ""|openssl s_client -connect $MYHOST:443 -tlsextdebug 2>&1 \
 | egrep 'heartbeat'

An example response of a potentially vulnerable host would be:
TLS server extension "heartbeat" (id=15), len=1

Quick local check for vulnerability:
openssl version -a
Any version other than 1.0.1 through 1.0.1f should be safe. In any
1.0.1 version if the -DOPENSSL_NO_HEARTBEATS flag listed in the
compiler flags that should mean you're safe.

Spot check:

openssl version -a| grep -oE '1.0.1[a-g]{1}?|DOPENSSL_NO_HEARTBEATS'

This should give you the version, if it's 1.0.1, and if the
OPENSSL_NO_HEARTBEATS was listed.

Adding to the spot checks above, once you patch with the official
patches from Ubuntu/Debian/RHEL these simple openssl checks will still
show the heartbeat extension enabled but it shouldn't be vulnerable
anymore. If you have access to Qualys for scanning, the QID for
scanning for this vulnerability is 42430.

The http://heartbleed.com/ site recommends re-issuing certificates
in case of prior compromise of existing private keys as there is no
way to differentiate from normal traffic.

We are recommending to our users to do this as well as any credentials
used over the SSL connection, especially in the last few days. The
vulnerability is easily exploitable and a few tests have returned
valid session cookies at the very least. Supposedly the server's
private key can be exposed as well. Passively there's no way to
determine if this is being exploited. I haven't had time to test with
debugging enabled.

===


Jamie Duncan wrote on 4/8/2014 12:44 PM:

The bug was only applicable to RHEL/CentOS/OEL/SL 6.5+
https://access.redhat.com/site/solutions/781793



On Tue, Apr 8, 2014 at 1:36 PM, Jeffrey Anderson mailto:jdander...@lbl.gov>> wrote:

Is SL5 vulnerable, and will there be a patch?




On Tue, Apr 8, 2014 at 7:10 AM, Pat Riehecky mailto:riehe...@fnal.gov>> wrote:

The updated package should be available now.

Pat


On 04/08/2014 05:43 AM, Adam Bishop wrote:

Good Morning,

I’ve not seen a fixed OpenSSL package drop into the repo’s as of 
yet.

Apologies for asking the question, but how quickly will this be
packaged and made available (i.e. should I start building the
package myself)?

Regards,

Adam Bishop
Systems Development Specialist

gpg: 0x6609D460
  t: +44 (0)1235 822 245 
   xmpp: ad...@jabber.dev.ja.net 

Janet, the UK's research and education network.


Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 
2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238



--
Pat Riehecky

Scientific Linux developer
http://www.scientificlinux.__org/ 




--
--
Jeffrey Anderson| jdander...@lbl.gov

Lawrence Berkeley National Laboratory   |
Office: 50A-5104E   | Mailstop 50A-5101
Phone: 510 486-4208  | Fax: 510
486-4204 




--
Thanks,

Jamie Duncan
@jamieeduncan




--
P. Larry Nelson (217-244-9855) | Systems/Network Administrator
461 Loomis Lab | High Energy Physics Group
1110 W. Green St., Urbana, IL  | Physics Dept., Univ. of Ill.
MailTo:lnel...@illinois.edu| http://www.roadkill.com/lnelson/
---
 "Information without accountability is just noise."  - P.L. Nelson

Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread Kelsey Cummings 
On 4/8/2014 10:43 AM, Pat Riehecky wrote:
> The SL package is the official fix from upstream.

Thanks for the clarification Pat.

-- 
Kelsey Cummings - k...@corp.sonic.net  sonic.net, inc.
System Architect  2260 Apollo Way
707.522.1000  Santa Rosa, CA 95407

Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread Patrick J. LoPresti 
On Tue, Apr 8, 2014 at 10:36 AM, Jeffrey Anderson  wrote:
> Is SL5 vulnerable, and will there be a patch?

RHEL / CentOS / SL 5.x ship with OpenSSL 0.9.8(x), which is NOT vulnerable.

 - Pat

Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread Pat Riehecky 

On 04/08/2014 12:28 PM, Kelsey Cummings wrote:

On 4/8/2014 7:10 AM, Pat Riehecky wrote:

The updated package should be available now.

Pat, can you clarify if this is the Real Fix from the upstream or just a
build with with heartbeats disabled.  I grabbed the Centos quick fix and
pushed it out to all of our SL systems last night in part since their
announcement stated that their package versioning would be overridden
when the upstream released the fix.  Just trying to figure out if I have
to force the new one out or if there's going to be another version bump
soon.


The SL package is the official fix from upstream.

Pat

--
Pat Riehecky

Scientific Linux developer
http://www.scientificlinux.org/

Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread Jamie Duncan 
The bug was only applicable to RHEL/CentOS/OEL/SL 6.5+
https://access.redhat.com/site/solutions/781793



On Tue, Apr 8, 2014 at 1:36 PM, Jeffrey Anderson  wrote:

> Is SL5 vulnerable, and will there be a patch?
>
>
>
>
> On Tue, Apr 8, 2014 at 7:10 AM, Pat Riehecky  wrote:
>
>> The updated package should be available now.
>>
>> Pat
>>
>>
>> On 04/08/2014 05:43 AM, Adam Bishop wrote:
>>
>>> Good Morning,
>>>
>>> I've not seen a fixed OpenSSL package drop into the repo's as of yet.
>>>
>>> Apologies for asking the question, but how quickly will this be packaged
>>> and made available (i.e. should I start building the package myself)?
>>>
>>> Regards,
>>>
>>> Adam Bishop
>>> Systems Development Specialist
>>>
>>>gpg: 0x6609D460
>>>  t: +44 (0)1235 822 245
>>>   xmpp: ad...@jabber.dev.ja.net
>>>
>>> Janet, the UK's research and education network.
>>>
>>>
>>> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
>>> not-for-profit company which is registered in England under No. 2881024
>>> and whose Registered Office is at Lumen House, Library Avenue,
>>> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
>>>
>>
>>
>> --
>> Pat Riehecky
>>
>> Scientific Linux developer
>> http://www.scientificlinux.org/
>>
>
>
>
> --
> --
> Jeffrey Anderson| jdander...@lbl.gov
> Lawrence Berkeley National Laboratory   |
> Office: 50A-5104E   | Mailstop 50A-5101
> Phone: 510 486-4208 | Fax: 510 486-4204
>



-- 
Thanks,

Jamie Duncan
@jamieeduncan

Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread Jeffrey Anderson 
Is SL5 vulnerable, and will there be a patch?




On Tue, Apr 8, 2014 at 7:10 AM, Pat Riehecky  wrote:

> The updated package should be available now.
>
> Pat
>
>
> On 04/08/2014 05:43 AM, Adam Bishop wrote:
>
>> Good Morning,
>>
>> I've not seen a fixed OpenSSL package drop into the repo's as of yet.
>>
>> Apologies for asking the question, but how quickly will this be packaged
>> and made available (i.e. should I start building the package myself)?
>>
>> Regards,
>>
>> Adam Bishop
>> Systems Development Specialist
>>
>>gpg: 0x6609D460
>>  t: +44 (0)1235 822 245
>>   xmpp: ad...@jabber.dev.ja.net
>>
>> Janet, the UK's research and education network.
>>
>>
>> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
>> not-for-profit company which is registered in England under No. 2881024
>> and whose Registered Office is at Lumen House, Library Avenue,
>> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
>>
>
>
> --
> Pat Riehecky
>
> Scientific Linux developer
> http://www.scientificlinux.org/
>



-- 
--
Jeffrey Anderson| jdander...@lbl.gov
Lawrence Berkeley National Laboratory   |
Office: 50A-5104E   | Mailstop 50A-5101
Phone: 510 486-4208 | Fax: 510 486-4204

Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread Jamie Duncan 
CentOS hacked up a fix that disabled the feature prior to Red Hat pushing
the official errata. CentOS replaced the hack ~90 minutes later. FWIW


On Tue, Apr 8, 2014 at 1:28 PM, Kelsey Cummings  wrote:

> On 4/8/2014 7:10 AM, Pat Riehecky wrote:
> > The updated package should be available now.
>
> Pat, can you clarify if this is the Real Fix from the upstream or just a
> build with with heartbeats disabled.  I grabbed the Centos quick fix and
> pushed it out to all of our SL systems last night in part since their
> announcement stated that their package versioning would be overridden
> when the upstream released the fix.  Just trying to figure out if I have
> to force the new one out or if there's going to be another version bump
> soon.
>
> --
> Kelsey Cummings - k...@corp.sonic.net  sonic.net, inc.
> System Architect  2260 Apollo Way
> 707.522.1000  Santa Rosa, CA 95407
>



-- 
Thanks,

Jamie Duncan
@jamieeduncan

Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread Kelsey Cummings 
On 4/8/2014 7:10 AM, Pat Riehecky wrote:
> The updated package should be available now.

Pat, can you clarify if this is the Real Fix from the upstream or just a
build with with heartbeats disabled.  I grabbed the Centos quick fix and
pushed it out to all of our SL systems last night in part since their
announcement stated that their package versioning would be overridden
when the upstream released the fix.  Just trying to figure out if I have
to force the new one out or if there's going to be another version bump
soon.

-- 
Kelsey Cummings - k...@corp.sonic.net  sonic.net, inc.
System Architect  2260 Apollo Way
707.522.1000  Santa Rosa, CA 95407

Re: Apache repository

2014-04-08 Thread Connie Sieh 

On Tue, 8 Apr 2014, Werf, C.G. van der (Carel) wrote:


Does anyone know of a decent RHEL6/SL6/Centos6 repository where a newer ver=
sion of Apache is available then the 2.2.15 of SL.repo ?

On our current SL5-webserver I intalled Apache 2.2.23 from webtatic.repo.
We are now planning to run  Apache on SL6, but the webtatic.sl6 does not pr=
ovide Apache anymore.

Regards,
Carel van der Werf



Apache 2.4 is currently in beta (closed beta) via Software 
Collections 1.1 .  See


http://developerblog.redhat.com/2014/03/20/rhscl-1-1-beta-available-apache-mongodb/

There is also a example of using apache 2.4 from Software Collections 1.1 
here


http://developerblog.redhat.com/2014/04/08/apache-with-various-php-versions-using-scl/#more-411758

The above article lists a "COPR" repo which has test versions available. 
Note I do not suggest using the test versions in production.


http://copr-be.cloud.fedoraproject.org/results/rhscl/httpd24/epel-6-x86_64/

Assuming that httpd24 is released as part of Software Collections 1.1 then 
it should be available in SL Software Collections after TUV releases the 
src.rpm and we have had time to build them.


-Connie Sieh

RE: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread peter.chiu 
Hello Pat,

With the help by an local admin, this mystery is solved by adding this entry in 
/etc/yum.conf:

http_caching=packages

If I understand this correctly, this entry will enable the software packages to 
be cached by the site web cache, but
not the metadata.

yum update now show the openssl updates.

Thanks.
Regards,
Peter

-Original Message-
From: Chiu, Peter (STFC,RAL,RALSP) 
Sent: 08 April 2014 16:51
To: Pat Riehecky; SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Cc: Chiu, Peter (STFC,RAL,RALSP)
Subject: RE: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

Thanks, Pat,

From a web browser, I can see the updates openssl-1.0.1e-16.el6_5.7.x86_64.rpm  
under:
http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/

So your updates are there,  but my yum installation could not reach them.

I have tried: yum clean expire-cache; yum repolist still reports the errors:

http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.bz2:
 [Errno -1] Metadata file does not match checksum Trying other mirror.
http://ftp1.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.bz2
  [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 416 Unknown"
Trying other mirror.

I did try yum clean metadata, no joy.

I have also tried wget:
[root@geant ~]# wget 
http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.bz
--2014-04-08 16:45:08--  
http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.bz
Resolving wwwcache.rl.ac.uk... 130.246.132.179 Connecting to 
wwwcache.rl.ac.uk|130.246.132.179|:8080... connected.
Proxy request sent, awaiting response... 404 Not Found
2014-04-08 16:45:08 ERROR 404: Not Found.

Any idea?

Peter


-Original Message-
From: Pat Riehecky [mailto:riehe...@fnal.gov]
Sent: 08 April 2014 16:05
To: Chiu, Peter (STFC,RAL,RALSP); SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Subject: Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

H.

I'll run another fsync to make sure everything is down on disk.

Can I have you run:

yum clean expire-cache

And try another yum check-update?

Pat

On 04/08/2014 10:00 AM, peter.c...@stfc.ac.uk wrote:
> Hello Pat,
>
> Just tried yum clean all; yum repolist; yum check-update
>
> but not show for the latest OpenSSL fixes.
> Is there a particular repository to use?
>
> Regards,
> Peter
> 
> [root@geant ~]# yum clean all; yum repolist; yum check-update Loaded
> plugins: refresh-packagekit, security Cleaning repos: atrpms elrepo 
> epel rpmforge sl sl-security sl6x sl6x-security Cleaning up Everything 
> Loaded plugins: refresh-packagekit, security
> atrpms
> | 3.5 kB 00:00
> atrpms/primary_db 
> | 1.7 MB 00:00
> elrepo
> | 2.9 kB 00:00
> elrepo/primary_db 
> | 612 kB 00:00
> epel/metalink 
> |  25 kB 00:00
> epel  
> | 4.4 kB 00:00
> epel/primary_db   
> | 6.0 MB 00:00
> rpmforge  
> | 1.9 kB 00:00
> rpmforge/primary_db   
> | 2.7 MB 00:00
> sl
> | 3.6 kB 00:00
> sl/primary_db 
> | 4.1 MB 00:00
> sl-security   
> | 3.0 kB 00:00
> sl-security/primary_db
> | 1.9 MB 00:00
> http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/sec
> urity/repodata/primary.sqlite.z2: [Errno -1] Metadata file does not match 
> checksum Trying other mirror.
> http://ftp1.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite
>  bz2: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 416 
> Unknown"
> Trying other mirror.
> http://ftp2.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite
>  bz2: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 416 
> Unknown"
> Trying other mirror.
> ftp://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/secu
> rity/repodata/primary.sqlite.b 2: [Errno -1] Metadata file does not match 
> checksum Trying other mirror.
> sl-security/primary_db
> | 1

RE: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread peter.chiu 
Thanks, Pat,

From a web browser, I can see the updates openssl-1.0.1e-16.el6_5.7.x86_64.rpm  
under:
http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/

So your updates are there,  but my yum installation could not reach them.

I have tried: yum clean expire-cache; yum repolist still reports the errors:

http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.bz2:
 [Errno -1] Metadata file does not match checksum
Trying other mirror.
http://ftp1.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.bz2
  [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 416 Unknown"
Trying other mirror.

I did try yum clean metadata, no joy.

I have also tried wget:
[root@geant ~]# wget 
http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.bz
--2014-04-08 16:45:08--  
http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.bz
Resolving wwwcache.rl.ac.uk... 130.246.132.179
Connecting to wwwcache.rl.ac.uk|130.246.132.179|:8080... connected.
Proxy request sent, awaiting response... 404 Not Found
2014-04-08 16:45:08 ERROR 404: Not Found.

Any idea?

Peter


-Original Message-
From: Pat Riehecky [mailto:riehe...@fnal.gov] 
Sent: 08 April 2014 16:05
To: Chiu, Peter (STFC,RAL,RALSP); SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Subject: Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

H.

I'll run another fsync to make sure everything is down on disk.

Can I have you run:

yum clean expire-cache

And try another yum check-update?

Pat

On 04/08/2014 10:00 AM, peter.c...@stfc.ac.uk wrote:
> Hello Pat,
>
> Just tried yum clean all; yum repolist; yum check-update
>
> but not show for the latest OpenSSL fixes.
> Is there a particular repository to use?
>
> Regards,
> Peter
> 
> [root@geant ~]# yum clean all; yum repolist; yum check-update Loaded 
> plugins: refresh-packagekit, security Cleaning repos: atrpms elrepo 
> epel rpmforge sl sl-security sl6x sl6x-security Cleaning up Everything 
> Loaded plugins: refresh-packagekit, security
> atrpms
> | 3.5 kB 00:00
> atrpms/primary_db 
> | 1.7 MB 00:00
> elrepo
> | 2.9 kB 00:00
> elrepo/primary_db 
> | 612 kB 00:00
> epel/metalink 
> |  25 kB 00:00
> epel  
> | 4.4 kB 00:00
> epel/primary_db   
> | 6.0 MB 00:00
> rpmforge  
> | 1.9 kB 00:00
> rpmforge/primary_db   
> | 2.7 MB 00:00
> sl
> | 3.6 kB 00:00
> sl/primary_db 
> | 4.1 MB 00:00
> sl-security   
> | 3.0 kB 00:00
> sl-security/primary_db
> | 1.9 MB 00:00
> http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/sec
> urity/repodata/primary.sqlite.z2: [Errno -1] Metadata file does not match 
> checksum Trying other mirror.
> http://ftp1.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite
>  bz2: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 416 
> Unknown"
> Trying other mirror.
> http://ftp2.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite
>  bz2: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 416 
> Unknown"
> Trying other mirror.
> ftp://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/secu
> rity/repodata/primary.sqlite.b 2: [Errno -1] Metadata file does not match 
> checksum Trying other mirror.
> sl-security/primary_db
> | 1.9 MB 00:00
> http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/sec
> urity/repodata/primary.sqlite. z2: [Errno -1] Metadata file does not match 
> checksum Trying other mirror.
> http://ftp1.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite
>  bz2: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 416 
> Unknown"
> Trying other mirror.
> http://ftp2.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite
>  bz2: [Errno 14] PYCURL ERROR 22 - "The requested URL retu

Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread Pat Riehecky 

H.

I'll run another fsync to make sure everything is down on disk.

Can I have you run:

yum clean expire-cache

And try another yum check-update?

Pat

On 04/08/2014 10:00 AM, peter.c...@stfc.ac.uk wrote:

Hello Pat,

Just tried yum clean all; yum repolist; yum check-update

but not show for the latest OpenSSL fixes.
Is there a particular repository to use?

Regards,
Peter

[root@geant ~]# yum clean all; yum repolist; yum check-update
Loaded plugins: refresh-packagekit, security
Cleaning repos: atrpms elrepo epel rpmforge sl sl-security sl6x sl6x-security
Cleaning up Everything
Loaded plugins: refresh-packagekit, security
atrpms| 
3.5 kB 00:00
atrpms/primary_db | 
1.7 MB 00:00
elrepo| 
2.9 kB 00:00
elrepo/primary_db | 
612 kB 00:00
epel/metalink | 
 25 kB 00:00
epel  | 
4.4 kB 00:00
epel/primary_db   | 
6.0 MB 00:00
rpmforge  | 
1.9 kB 00:00
rpmforge/primary_db   | 
2.7 MB 00:00
sl| 
3.6 kB 00:00
sl/primary_db | 
4.1 MB 00:00
sl-security   | 
3.0 kB 00:00
sl-security/primary_db| 
1.9 MB 00:00
http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.z2:
 [Errno -1] Metadata file does not match checksum
Trying other mirror.
http://ftp1.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite
 bz2: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 416 
Unknown"
Trying other mirror.
http://ftp2.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite
 bz2: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 416 
Unknown"
Trying other mirror.
ftp://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.b
 2: [Errno -1] Metadata file does not match checksum
Trying other mirror.
sl-security/primary_db| 
1.9 MB 00:00
http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.
 z2: [Errno -1] Metadata file does not match checksum
Trying other mirror.
http://ftp1.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite
 bz2: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 416 
Unknown"
Trying other mirror.
http://ftp2.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite
 bz2: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 416 
Unknown"
Trying other mirror.
ftp://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.b
 2: [Errno -1] Metadata file does not match checksum
Trying other mirror.
repo idrepo name
   statu
atrpms Red Hat Enterprise Linux 6.5 - x86_64 - ATrpms   
2,79
elrepo ELRepo.org Community Enterprise Linux Repository - 
el6 275
epel   Extra Packages for Enterprise Linux 6 - x86_64   
   10,681
rpmforge   RHEL 6.5 - RPMforge.net - dag
4,678
sl Scientific Linux 6.5 - x86_64
6,524
sl-securityScientific Linux 6.5 - x86_64 - security updates 
0
sl6x   Scientific Linux 6x - x86_64 
0
sl6x-security  Scientific Linux 6x - x86_64 - security updates  
0
repolist: 24,954
Loaded plugins: refresh-packagekit, security
sl-security/primary_db| 
1.9 MB 00:00
http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.bz2:
 [Errno -1] Metadata file does not match checksum
Trying other mirror.
http://ftp1.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.
bz2: [Errno 14] PYCURL ERROR 22 - "The request

RE: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread peter.chiu 
Hello Pat,

Just tried yum clean all; yum repolist; yum check-update

but not show for the latest OpenSSL fixes.
Is there a particular repository to use?

Regards,
Peter

[root@geant ~]# yum clean all; yum repolist; yum check-update
Loaded plugins: refresh-packagekit, security
Cleaning repos: atrpms elrepo epel rpmforge sl sl-security sl6x sl6x-security
Cleaning up Everything
Loaded plugins: refresh-packagekit, security
atrpms| 
3.5 kB 00:00 
atrpms/primary_db | 
1.7 MB 00:00 
elrepo| 
2.9 kB 00:00 
elrepo/primary_db | 
612 kB 00:00 
epel/metalink | 
 25 kB 00:00 
epel  | 
4.4 kB 00:00 
epel/primary_db   | 
6.0 MB 00:00 
rpmforge  | 
1.9 kB 00:00 
rpmforge/primary_db   | 
2.7 MB 00:00 
sl| 
3.6 kB 00:00 
sl/primary_db | 
4.1 MB 00:00 
sl-security   | 
3.0 kB 00:00 
sl-security/primary_db| 
1.9 MB 00:00 
http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.z2:
 [Errno -1] Metadata file does not match checksum
Trying other mirror.
http://ftp1.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite
 bz2: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 416 
Unknown"
Trying other mirror.
http://ftp2.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite
 bz2: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 416 
Unknown"
Trying other mirror.
ftp://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.b
 2: [Errno -1] Metadata file does not match checksum
Trying other mirror.
sl-security/primary_db| 
1.9 MB 00:00 
http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.
 z2: [Errno -1] Metadata file does not match checksum
Trying other mirror.
http://ftp1.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite
 bz2: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 416 
Unknown"
Trying other mirror.
http://ftp2.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite
 bz2: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 416 
Unknown"
Trying other mirror.
ftp://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.b
 2: [Errno -1] Metadata file does not match checksum
Trying other mirror.
repo idrepo name
   statu 
atrpms Red Hat Enterprise Linux 6.5 - x86_64 - ATrpms   
2,79 
elrepo ELRepo.org Community Enterprise Linux Repository - 
el6 275
epel   Extra Packages for Enterprise Linux 6 - x86_64   
   10,681
rpmforge   RHEL 6.5 - RPMforge.net - dag
4,678
sl Scientific Linux 6.5 - x86_64
6,524
sl-securityScientific Linux 6.5 - x86_64 - security updates 
0
sl6x   Scientific Linux 6x - x86_64 
0
sl6x-security  Scientific Linux 6x - x86_64 - security updates  
0
repolist: 24,954
Loaded plugins: refresh-packagekit, security
sl-security/primary_db| 
1.9 MB 00:00 
http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.bz2:
 [Errno -1] Metadata file does not match checksum
Trying other mirror.
http://ftp1.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.
bz2: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 416 
Unknown"
Trying other mirror.
http://ftp2.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repod

Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread Steven Miano 
The advise so far is to not only patch up, and restart services/hosts; but
to also revoke the certs and create new ones.

As the vulnerability left no trace of its happenings in any logs - and
someone who was actively exploiting it could still use the private key or
other ill begot materials.

Just a heads up.

RHEL/SL/Ubuntu/etc really aren't the big cause for concern (in many cases),
but more so the appliances that many enterprises use/buy/deploy..


On Tue, Apr 8, 2014 at 10:47 AM, Adam Bishop  wrote:

> On 8 Apr 2014, at 15:10, Pat Riehecky  wrote:
> >
> > The updated package should be available now.
>
> Brilliant, thanks for update.
>
> Regards,
>
> Adam Bishop
>
>   gpg: 0x6609D460
>
> Janet, the UK's research and education network.
>
>
>
> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
> not-for-profit company which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
>



-- 
 Miano, Steven M.
http://stevenmiano.com

Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread Adam Bishop 
On 8 Apr 2014, at 15:10, Pat Riehecky  wrote:
> 
> The updated package should be available now.

Brilliant, thanks for update.

Regards,

Adam Bishop

  gpg: 0x6609D460

Janet, the UK's research and education network.



Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
not-for-profit company which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238

RE: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread Bohmer, Andre ten 
Yep it is and a heartbleed check now fails (don't forget to restart httpd and 
other  services which do relay on openssl)

Thanks!
Andre

> -Original Message-
> From: owner-scientific-linux-us...@listserv.fnal.gov [mailto:owner-
> scientific-linux-users@listserv.fnal.gov] On Behalf Of Pat Riehecky
> Sent: dinsdag 8 april 2014 16:10
> To: Adam Bishop; SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
> Subject: Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability
> 
> The updated package should be available now.
> 
> Pat
> 
> On 04/08/2014 05:43 AM, Adam Bishop wrote:
> > Good Morning,
> >
> > I’ve not seen a fixed OpenSSL package drop into the repo’s as of yet.
> >
> > Apologies for asking the question, but how quickly will this be packaged
> and made available (i.e. should I start building the package myself)?
> >
> > Regards,
> >
> > Adam Bishop
> > Systems Development Specialist
> >
> >gpg: 0x6609D460
> >  t: +44 (0)1235 822 245
> >   xmpp: ad...@jabber.dev.ja.net
> >
> > Janet, the UK's research and education network.
> >
> >
> > Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
> > not-for-profit company which is registered in England under No.
> > 2881024 and whose Registered Office is at Lumen House, Library Avenue,
> > Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
> 
> 
> --
> Pat Riehecky
> 
> Scientific Linux developer
> http://www.scientificlinux.org/

Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread Pat Riehecky 

The updated package should be available now.

Pat

On 04/08/2014 05:43 AM, Adam Bishop wrote:

Good Morning,

I’ve not seen a fixed OpenSSL package drop into the repo’s as of yet.

Apologies for asking the question, but how quickly will this be packaged and 
made available (i.e. should I start building the package myself)?

Regards,

Adam Bishop
Systems Development Specialist

   gpg: 0x6609D460
 t: +44 (0)1235 822 245
  xmpp: ad...@jabber.dev.ja.net

Janet, the UK's research and education network.


Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238



--
Pat Riehecky

Scientific Linux developer
http://www.scientificlinux.org/

Re: VMs of EL and other environments

2014-04-08 Thread Paul Griffith 
 
 Content analysis details:   (-1.0 points, 5.0 required)
 
  pts rule name  description
  -- --
 -0.0 SHORTCIRCUIT   Not all rules were run, due to a shortcircuited 
rule
 -1.0 ALL_TRUSTEDPassed through trusted hosts only via SMTP
Return-Path: pa...@cse.yorku.ca
Received-SPF: None (MAIL04V-SMTP02.fnal.gov: pa...@cse.yorku.ca does not
 designate permitted sender hosts)

On 04/08/2014 08:24 AM, Nico Kadel-Garcia wrote:
> On Tue, Apr 8, 2014 at 12:10 AM, Steven Haigh  wrote:
> 
>> I'm a little biased - but check out: http://xen.crc.id.au/
> 
> Heh. I've not had a chance to play with Xen in about 6 years, when
> I published the first (freeware!) RPM's for it. How's it been since
> Citrix bought it?
> 

XenServer is now open source.


Why did Citrix open source XenServer?

As evidenced by the strong industry response to phase 1 of this strategy, 
moving Xen to the Linux Foundation open source provides us with a way to better 
engage with ecosystem partners to enable innovation. An integral part of phase 
2 of this strategy is to build a centralized user engagement portal 
(XenServer.org) around the open source XenServer that will drive innovation, 
collaboration and customer confidence around Citrix commitment to the XenServer 
product and project. 

Open source also provides alignment with the dominant cloud orchestration 
platforms of CloudStack and OpenStack and meets cloud builder expectations for 
source code availability and open APIs. A strong open source strategy for 
product and go-to-market will result in a stronger platform, a more robust 
partner ecosystem and a strong user community.  Providers will benefit from a 
simpler way to sell a better product to a large and growing market opportunity.

https://www.citrix.com/products/xenserver/whats-new.html


Cheers