Re: CU178 kernel fixes Testing

Re: CU178 kernel fixes Testing

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 2812 bytes --]

Hi All,

On 14/08/2023 16:19, jon wrote:
> What about the rebuilds like nmap, monit, nping, etc.??
Looking through the ChangeLog.txt those are not in CU178 so they will end up in CU179. I think CU178 is intended to be a very quick intermediate update due to the kernel vulnerabilities.
> 
> Jon Murphy
> jon.murphy(a)ipfire.org <mailto:jon.murphy(a)ipfire.org>
> 
> 
> 
>> On Aug 14, 2023, at 9:03 AM, Michael Tremer <michael.tremer(a)ipfire.org <mailto:michael.tremer(a)ipfire.org>> wrote:
>>
>> Hello Adolf,
>>
>>> On 14 Aug 2023, at 12:26, Adolf Belka <adolf.belka(a)ipfire.org <mailto:adolf.belka(a)ipfire.org>> wrote:
>>>
>>> Hi All,
>>>
>>>
>>> I didn't see any further notification about the kernel fixes in CU178 being available to test but looking in the Changelog in the nightlies it seemed that the fixes were available in the CU178 version in master.
>>
>> Sorry for the confusion. Arne and I made a quick plan how to move forward with all those large security issues over the phone.
No problem. I was just being very enthusiastic.
>>
>> Since I was traveling last week I didn’t have a chance to test the update (so that at least a second pair of eyeballs has confirmed that we don’t break things really) before the announcement went out. This morning, I installed the update and pretty much immediately pressed the button for the announcement.
>>
>>> So I have tested it on 2 vm systems that I have.
>>>
>>> After update the systems were on 178 Development Build master/41e33931. During the reboot on both systems no issues were found and no red warning messages.
>>
>> Very good!
>>
>> We decided to push all those changes straight to the master branch so that we gain more testers quickly and moved c178 to 179 and left that in next. In order to be able to release the update as quickly as possible, we didn’t back port anything else from next into master as we couldn’t find anything that is *really* urgent.
>>
>>> OpenVPN RW and N2N both worked as normal after the update.
>>>
>>> Ran for a couple of hours and did a range of web activities.
>>>
>>> Everything worked as expected and all graphs reviewed showed data as normally expected.
>>>
>>>
>>> No problems found.
>>
>> That is the stuff I want to hear :)
Forgot to mention that the two new vulnerabilities are in the Hardware Vulnerabilities menu. My vm's are3 on an AMD machine so the vulnerability for Intel processors shows up as Not Affected and the other vulnerability for AMD processors shows up as Mitigated - safe RET so that is all working too.

Regards,
Adolf.
>>
>> Unless someone reports any new regressions, I would like to release this update maybe on Wednesday or Thursday.
>>
>> Best,
>> -Michael
>>
>>>
>>>
>>> Regards,
>>>
>>> Adolf.
>>>
>>>
>>
> 

Re: CU178 kernel fixes Testing

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3332 bytes --]

Hello,

> On 14 Aug 2023, at 16:40, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
> 
> Hi All,
> 
> On 14/08/2023 16:19, jon wrote:
>> What about the rebuilds like nmap, monit, nping, etc.??
> Looking through the ChangeLog.txt those are not in CU178 so they will end up in CU179. I think CU178 is intended to be a very quick intermediate update due to the kernel vulnerabilities.

Since we added some changes after the release of c177 which did not get merged back into master, I cherry-picked that commit again so that we won’t go back on those releases.

>> Jon Murphy
>> jon.murphy(a)ipfire.org <mailto:jon.murphy(a)ipfire.org>
>>> On Aug 14, 2023, at 9:03 AM, Michael Tremer <michael.tremer(a)ipfire.org <mailto:michael.tremer(a)ipfire.org>> wrote:
>>> 
>>> Hello Adolf,
>>> 
>>>> On 14 Aug 2023, at 12:26, Adolf Belka <adolf.belka(a)ipfire.org <mailto:adolf.belka(a)ipfire.org>> wrote:
>>>> 
>>>> Hi All,
>>>> 
>>>> 
>>>> I didn't see any further notification about the kernel fixes in CU178 being available to test but looking in the Changelog in the nightlies it seemed that the fixes were available in the CU178 version in master.
>>> 
>>> Sorry for the confusion. Arne and I made a quick plan how to move forward with all those large security issues over the phone.
> No problem. I was just being very enthusiastic.

There is no problem with that.

>>> 
>>> Since I was traveling last week I didn’t have a chance to test the update (so that at least a second pair of eyeballs has confirmed that we don’t break things really) before the announcement went out. This morning, I installed the update and pretty much immediately pressed the button for the announcement.
>>> 
>>>> So I have tested it on 2 vm systems that I have.
>>>> 
>>>> After update the systems were on 178 Development Build master/41e33931. During the reboot on both systems no issues were found and no red warning messages.
>>> 
>>> Very good!
>>> 
>>> We decided to push all those changes straight to the master branch so that we gain more testers quickly and moved c178 to 179 and left that in next. In order to be able to release the update as quickly as possible, we didn’t back port anything else from next into master as we couldn’t find anything that is *really* urgent.
>>> 
>>>> OpenVPN RW and N2N both worked as normal after the update.
>>>> 
>>>> Ran for a couple of hours and did a range of web activities.
>>>> 
>>>> Everything worked as expected and all graphs reviewed showed data as normally expected.
>>>> 
>>>> 
>>>> No problems found.
>>> 
>>> That is the stuff I want to hear :)
> Forgot to mention that the two new vulnerabilities are in the Hardware Vulnerabilities menu. My vm's are3 on an AMD machine so the vulnerability for Intel processors shows up as Not Affected and the other vulnerability for AMD processors shows up as Mitigated - safe RET so that is all working too.

Luckily the IPFire Mini Appliance that I am using for testing isn’t affected by either of them, but I can confirm it works well.

Best,
-Michael

> 
> Regards,
> Adolf.
>>> 
>>> Unless someone reports any new regressions, I would like to release this update maybe on Wednesday or Thursday.
>>> 
>>> Best,
>>> -Michael
>>> 
>>>> 
>>>> 
>>>> Regards,
>>>> 
>>>> Adolf.

Re: CU178 kernel fixes Testing

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2503 bytes --]

Hello,

I already bumped these again and copied them manually into the stable branch.

Users should now see those updates.

But I wasn’t aware of nping… I only did these:

  https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=80ff3f08c49fbf0580392a9afda43d99e50d43ba

-Michael

> On 14 Aug 2023, at 15:19, jon <jon.murphy(a)ipfire.org> wrote:
> 
> What about the rebuilds like nmap, monit, nping, etc.??
> 
> Jon Murphy
> jon.murphy(a)ipfire.org
> 
> 
> 
>> On Aug 14, 2023, at 9:03 AM, Michael Tremer <michael.tremer(a)ipfire.org> wrote:
>> 
>> Hello Adolf,
>> 
>>> On 14 Aug 2023, at 12:26, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>>> 
>>> Hi All,
>>> 
>>> 
>>> I didn't see any further notification about the kernel fixes in CU178 being available to test but looking in the Changelog in the nightlies it seemed that the fixes were available in the CU178 version in master.
>> 
>> Sorry for the confusion. Arne and I made a quick plan how to move forward with all those large security issues over the phone.
>> 
>> Since I was traveling last week I didn’t have a chance to test the update (so that at least a second pair of eyeballs has confirmed that we don’t break things really) before the announcement went out. This morning, I installed the update and pretty much immediately pressed the button for the announcement.
>> 
>>> So I have tested it on 2 vm systems that I have.
>>> 
>>> After update the systems were on 178 Development Build master/41e33931. During the reboot on both systems no issues were found and no red warning messages.
>> 
>> Very good!
>> 
>> We decided to push all those changes straight to the master branch so that we gain more testers quickly and moved c178 to 179 and left that in next. In order to be able to release the update as quickly as possible, we didn’t back port anything else from next into master as we couldn’t find anything that is *really* urgent.
>> 
>>> OpenVPN RW and N2N both worked as normal after the update.
>>> 
>>> Ran for a couple of hours and did a range of web activities.
>>> 
>>> Everything worked as expected and all graphs reviewed showed data as normally expected.
>>> 
>>> 
>>> No problems found.
>> 
>> That is the stuff I want to hear :)
>> 
>> Unless someone reports any new regressions, I would like to release this update maybe on Wednesday or Thursday.
>> 
>> Best,
>> -Michael
>> 
>>> 
>>> 
>>> Regards,
>>> 
>>> Adolf.
>>> 
>>> 
>> 
> 

Re: CU178 kernel fixes Testing

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 2739 bytes --]



On 14/08/2023 17:42, Michael Tremer wrote:
> Hello,
> 
> I already bumped these again and copied them manually into the stable branch.
> 
> Users should now see those updates.
> 
> But I wasn’t aware of nping… I only did these:
> 
>    https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=80ff3f08c49fbf0580392a9afda43d99e50d43ba
nping is one of the binaries from nmap so the bump of nmap package will 
cover nping.

Regards,
Adolf.
> 
> -Michael
> 
>> On 14 Aug 2023, at 15:19, jon <jon.murphy(a)ipfire.org> wrote:
>>
>> What about the rebuilds like nmap, monit, nping, etc.??
>>
>> Jon Murphy
>> jon.murphy(a)ipfire.org
>>
>>
>>
>>> On Aug 14, 2023, at 9:03 AM, Michael Tremer <michael.tremer(a)ipfire.org> wrote:
>>>
>>> Hello Adolf,
>>>
>>>> On 14 Aug 2023, at 12:26, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>>>>
>>>> Hi All,
>>>>
>>>>
>>>> I didn't see any further notification about the kernel fixes in CU178 being available to test but looking in the Changelog in the nightlies it seemed that the fixes were available in the CU178 version in master.
>>>
>>> Sorry for the confusion. Arne and I made a quick plan how to move forward with all those large security issues over the phone.
>>>
>>> Since I was traveling last week I didn’t have a chance to test the update (so that at least a second pair of eyeballs has confirmed that we don’t break things really) before the announcement went out. This morning, I installed the update and pretty much immediately pressed the button for the announcement.
>>>
>>>> So I have tested it on 2 vm systems that I have.
>>>>
>>>> After update the systems were on 178 Development Build master/41e33931. During the reboot on both systems no issues were found and no red warning messages.
>>>
>>> Very good!
>>>
>>> We decided to push all those changes straight to the master branch so that we gain more testers quickly and moved c178 to 179 and left that in next. In order to be able to release the update as quickly as possible, we didn’t back port anything else from next into master as we couldn’t find anything that is *really* urgent.
>>>
>>>> OpenVPN RW and N2N both worked as normal after the update.
>>>>
>>>> Ran for a couple of hours and did a range of web activities.
>>>>
>>>> Everything worked as expected and all graphs reviewed showed data as normally expected.
>>>>
>>>>
>>>> No problems found.
>>>
>>> That is the stuff I want to hear :)
>>>
>>> Unless someone reports any new regressions, I would like to release this update maybe on Wednesday or Thursday.
>>>
>>> Best,
>>> -Michael
>>>
>>>>
>>>>
>>>> Regards,
>>>>
>>>> Adolf.
>>>>
>>>>
>>>
>>
> 

-- 
Sent from my laptop

CU178 kernel fixes Testing

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 706 bytes --]

Hi All,


I didn't see any further notification about the kernel fixes in CU178 being available to test but looking in the Changelog in the nightlies it seemed that the fixes were available in the CU178 version in master.

So I have tested it on 2 vm systems that I have.

After update the systems were on 178 Development Build master/41e33931. During the reboot on both systems no issues were found and no red warning messages.

OpenVPN RW and N2N both worked as normal after the update.

Ran for a couple of hours and did a range of web activities.

Everything worked as expected and all graphs reviewed showed data as normally expected.


No problems found.


Regards,

Adolf.

Re: CU178 kernel fixes Testing

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 968 bytes --]

and then after sending this the Core Update Testing message came out. Still I think the testing feedback still applies unless I tested the wrong build version.


Regards,

Adolf.

On 14/08/2023 13:26, Adolf Belka wrote:
> Hi All,
>
>
> I didn't see any further notification about the kernel fixes in CU178 being available to test but looking in the Changelog in the nightlies it seemed that the fixes were available in the CU178 version in master.
>
> So I have tested it on 2 vm systems that I have.
>
> After update the systems were on 178 Development Build master/41e33931. During the reboot on both systems no issues were found and no red warning messages.
>
> OpenVPN RW and N2N both worked as normal after the update.
>
> Ran for a couple of hours and did a range of web activities.
>
> Everything worked as expected and all graphs reviewed showed data as normally expected.
>
>
> No problems found.
>
>
> Regards,
>
> Adolf.
>
>

Re: CU178 kernel fixes Testing

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1812 bytes --]

Hello Adolf,

> On 14 Aug 2023, at 12:26, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
> 
> Hi All,
> 
> 
> I didn't see any further notification about the kernel fixes in CU178 being available to test but looking in the Changelog in the nightlies it seemed that the fixes were available in the CU178 version in master.

Sorry for the confusion. Arne and I made a quick plan how to move forward with all those large security issues over the phone.

Since I was traveling last week I didn’t have a chance to test the update (so that at least a second pair of eyeballs has confirmed that we don’t break things really) before the announcement went out. This morning, I installed the update and pretty much immediately pressed the button for the announcement.

> So I have tested it on 2 vm systems that I have.
> 
> After update the systems were on 178 Development Build master/41e33931. During the reboot on both systems no issues were found and no red warning messages.

Very good!

We decided to push all those changes straight to the master branch so that we gain more testers quickly and moved c178 to 179 and left that in next. In order to be able to release the update as quickly as possible, we didn’t back port anything else from next into master as we couldn’t find anything that is *really* urgent.

> OpenVPN RW and N2N both worked as normal after the update.
> 
> Ran for a couple of hours and did a range of web activities.
> 
> Everything worked as expected and all graphs reviewed showed data as normally expected.
> 
> 
> No problems found.

That is the stuff I want to hear :)

Unless someone reports any new regressions, I would like to release this update maybe on Wednesday or Thursday.

Best,
-Michael

> 
> 
> Regards,
> 
> Adolf.
> 
> 

Re: CU178 kernel fixes Testing

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 407 bytes --]

Hello *,

Core Update 178 (master/41e33931) is running here without any issues for roughly
a day now. A very minor finding is that vulnerabilities.cgi does not give human-
readable names and CVEs for the new vulnerabilities, but that is by no means a
show-stopper, and I'll prepare a patch for fixing this.

IMHO, Core Update 178 is ready to be released.

Thanks, and best regards,
Peter Müller

Re: CU178 kernel fixes Testing

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 546 bytes --]

Thank you for your feedback!

> On 15 Aug 2023, at 16:54, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Hello *,
> 
> Core Update 178 (master/41e33931) is running here without any issues for roughly
> a day now. A very minor finding is that vulnerabilities.cgi does not give human-
> readable names and CVEs for the new vulnerabilities, but that is by no means a
> show-stopper, and I'll prepare a patch for fixing this.
> 
> IMHO, Core Update 178 is ready to be released.
> 
> Thanks, and best regards,
> Peter Müller