Release notes for Excito Bubba 2&3 software version 2.6.0.2

Announcements of all software releases for Excito products
johannes
Posts: 1467
Joined: 31 Dec 2006, 07:12
Location: Sweden
Contact:

Re: Release notes for Excito Bubba 2&3 software version 2.6.

Post by johannes » 13 Mar 2014, 18:13

basd82 wrote:Johannes,

Is excito planning a upgrade to wheezy the debian stable ?
No, but there are intiiatives amongst our amazing users to do this. For instance here.
/Johannes (Excito co-founder a long time ago, but now I'm just Johannes)

Christian
Posts: 5
Joined: 03 Apr 2012, 15:59

Re: Release notes for Excito Bubba 2&3 software version 2.6.

Post by Christian » 17 Mar 2014, 17:47

That's a bit worrying - after all, Debian is expected to support Squeeze only until May - May, 2014, that is. After this date, there will be no more security updates. :-(

I hope that there will be some upgrade path (at least to a bare Debian installation), because I really don't know an alternative to the B3: Small servers consume too much power (and to much space), and the NAS devices of other manufacturers come with heavily stripped-down Linux variants (I use and need the B3 as a small, efficient Linux server).

Gordon
Posts: 1302
Joined: 10 Aug 2011, 03:18

Re: Release notes for Excito Bubba 2&3 software version 2.6.

Post by Gordon » 17 Mar 2014, 19:00

Well, in the two-something years that I've owned a B3 there was really only one security update and because how I had reconfigured the webserver it turned out that I didn't actually need that patch. Those that had left their B3 standard AND opened up the firewall to allow outside access definitely did need it, but this also shows that whether you require the system to receive security updates or not mostly depends on you. In fact, many core internet servers are running Unix versions that have not had any security update ever, because thirty years ago that was simply not an issue.

What I can tell you however is that some discussion on this subject has taken place on the background and it appears that the primary issue that prevents current Wheezy kernels from booting on the B3 (and other platforms that use u-boot) is under investigation by the main kernel developer group at present. Once they launch a stable version it should be very much possible to adapt this kernel to the specialized B3 hardware. Upgrading to Wheezy should be fairly simple from that point on, but you'll have to be patient. Don't expect this to happen before May this year.

Christian
Posts: 5
Joined: 03 Apr 2012, 15:59

Re: Release notes for Excito Bubba 2&3 software version 2.6.

Post by Christian » 25 Sep 2014, 11:57

Sorry for asking again, but is there any chance of getting a more recent Linux distribution running on the B3 (out-of-the box, without manual patching)? I have updated PHP myself by compiling it from source (Owncloud didn't particularly like the outdated B3 Debian PHP version), but I am still worried about miscellaneous issues - most recently, about CVE-2014-6271 (the bash "ShellShock") - the B3 is vulnerable to this problem (you can verify it by executing

Code: Select all

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
, courtesy of http://www.heise.de/newsticker/meldung/ ... 03305.html.

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: Release notes for Excito Bubba 2&3 software version 2.6.

Post by Ubi » 25 Sep 2014, 14:57

How are you going to take over the world by printing 'this is a test'?

ingo2
Posts: 81
Joined: 06 Feb 2012, 10:32

Re: Release notes for Excito Bubba 2&3 software version 2.6.

Post by ingo2 » 25 Sep 2014, 14:58

Me came another idea to abbreviate the waiting for a Wheezy upgrade from official side:

Currently Excito is offering its B3 without HD at an attractive price (72€).
If those newly sold boxes came with the patched/upgraded uBoot loader, it will be quite easy for any user with some Linux skill to install a stock Kirkwood-Wheezy.

In that case I'd immediately order one to supplement my existing one which for now has been degraded now as a backup device in the internal LAN - without access to the internet.

Best regards,
Ingo
UNIX is user friendly, it's just picky about who its friends are.

beaufils
Posts: 10
Joined: 22 Feb 2012, 04:24

Re: Release notes for Excito Bubba 2&3 software version 2.6.

Post by beaufils » 25 Sep 2014, 15:03

@ubi This bug is a serious one. Replace `echo vulnerable` by `rm -rf /` or even less funny stuff like installing some naughty daemon and you will rule the world :-(

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: Release notes for Excito Bubba 2&3 software version 2.6.

Post by Ubi » 25 Sep 2014, 15:08

You can type 'rm-rf' without this bug too. The issue is only relevant if the command is run by root and you do not get the chance to read the script you are running. If this situation is upon you, your problem is not the exploit, but a complete lack of sane system administration.

Now explain how you are going to get this daemon of yours to run as root...

beaufils
Posts: 10
Joined: 22 Feb 2012, 04:24

Re: Release notes for Excito Bubba 2&3 software version 2.6.

Post by beaufils » 25 Sep 2014, 15:59

As far as I know bash is used by any process using the `system` or `popen` system call (php is doing such system call for instance). The bug is due to bad processing of environment variables by bash. In Apache for instance HTTP_USER_AGENT is created when processing a request. Thus an attacker could be able to attack an host using apache with a uncorrected bash (as on b3) and executing some random shell code running as www-data.

Nice examples on how to exploit this bug are available online on stackexchange for instance :
https://security.stackexchange.com/ques ... -exploited

Psynapse
Posts: 12
Joined: 05 Sep 2014, 06:24

Re: Release notes for Excito Bubba 2&3 software version 2.6.

Post by Psynapse » 25 Sep 2014, 20:30

ingo2 wrote:Me came another idea to abbreviate the waiting for a Wheezy upgrade from official side:

Currently Excito is offering its B3 without HD at an attractive price (72€).
If those newly sold boxes came with the patched/upgraded uBoot loader, it will be quite easy for any user with some Linux skill to install a stock Kirkwood-Wheezy.
Do you mean by following the wiki instructions to install kirkwood?

I already asked if following that procedure would result in the same level of functionality as using the stock Excito Arch linux image (but with all the benefits of a newer foundation), but nobody seemed to know / care / have time to reply. Understandably, bankruptcy is a higher priority right now.

ingo2
Posts: 81
Joined: 06 Feb 2012, 10:32

Re: Release notes for Excito Bubba 2&3 software version 2.6.

Post by ingo2 » 26 Sep 2014, 10:37

Psynapse wrote: Do you mean by following the wiki instructions to install kirkwood?
No, I had the idea to start with the Bubba-image, then purge all Excito specific packages and upgrade to Debian-Wheezy. That should not cause any significant problems. I did the same on my QNAP TS-109 with Orion Soc: started years ago with install of Lenny and meanwhile upgraded via Squeeze to Wheezy.

Best regards,
Ingo.

BTW: just today the latest 'bash' upgrade was distibuted for Squeeze - but only amd64 (which I have still here). ARMEL unfortunately does not have LTS support.
UNIX is user friendly, it's just picky about who its friends are.

Gordon
Posts: 1302
Joined: 10 Aug 2011, 03:18

Re: Release notes for Excito Bubba 2&3 software version 2.6.

Post by Gordon » 26 Sep 2014, 11:15

ingo2 wrote:
Psynapse wrote: Do you mean by following the wiki instructions to install kirkwood?
No, I had the idea to start with the Bubba-image, then purge all Excito specific packages and upgrade to Debian-Wheezy. That should not cause any significant problems. I did the same on my QNAP TS-109 with Orion Soc: started years ago with install of Lenny and meanwhile upgraded via Squeeze to Wheezy.

Best regards,
Ingo.

BTW: just today the latest 'bash' upgrade was distibuted for Squeeze - but only amd64 (which I have still here). ARMEL unfortunately does not have LTS support.
Bad idea.

The core Bubba packages act as meta packages for the whole system. If you purge those packages, it will therefore also purge a whole bunch of other packages. Including ssh, meaning you will loose access to the B3. And the kernel.

IMO you should create a new meta package that holds dependencies to all these critical packages you do not want to loose. Only then will it be safe to purge the Bubba packages.

ingo2
Posts: 81
Joined: 06 Feb 2012, 10:32

Re: Release notes for Excito Bubba 2&3 software version 2.6.

Post by ingo2 » 26 Sep 2014, 12:10

Gordon wrote: IMO you should create a new meta package that holds dependencies to all these critical packages you do not want to loose. Only then will it be safe to purge the Bubba packages.
Many thanks Gordon for that information - I didn't know,
Ingo
UNIX is user friendly, it's just picky about who its friends are.

Post Reply