Server maintenance 14th January

The server maintenance of Triton (SSH) is done for now. If you want updates about when we’ll have update (and when it’s done) make sure to follow Blinkenshell on Twitter¬†and hang around in the IRC-channel.

As you might have guessed this is in response to the Meltdown and Spectre attacks. I was not able to successfully run any Meltdown attacks on Triton before the patch because of some other hardening, but I’m sure it was theoretically vulnerable anyway so we definitely needed to patch.

Patching was delayed a bit because I also needed to rip out the old hardening/RBAC system based on Grsecurity and replace it with SElinux. Grsecurity has decided to not provide any free versions of their software and only provide updates to their paying enterprise customers. They’ve previously talked about still providing an option for non-commercial, use but they failed to get anything out even though it’s almost a year since they announced this. It doesn’t even seem like they will provide the community with patches for the very serious bugs Meltdown and Spectre, and they also removed all the old software archives. Basically they have abandoned their old community users which is a pity, but fortunately there are other alternatives out there. These mailing list messages might shed some light on the “conflict”.

Some of the kernel-hardening work has been included in mainline, and more will hopefully come via some kernel hardening projects. As for the RBAC Blinkenshell will move to SElinux which is also included in mainline Linux and fully supported. This might result in a lot of weird problems and errors in the beginning, but we’re starting out pretty light on the policy. Please report any issues to independence.

I also want to say this is probably not the last patch for Meltdown/Spectre, and we will probably have to patch again in the not too distant future so expect more downtimes coming up. In the meantime enjoy updated versions of irssi (1.0.6), weechat (2.0.1) and a lot of other updates!

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *