Linux 4.2

by on September 7th, 2015

Here are some of the more interesting changes of this kernel version.
The Linux security module stacking patches have been merged, finally giving the kernel the ability to combine security modules in a generic manner.
A new packet classifier called “Flower” has been added. With Flower, “you will be able to classify packets based on a configurable combination of packet keys and masks.” This classifier appears to be entirely lacking in documentation, unfortunately.
A driver for GENEVE (Generic Network Virtualization Encapsulation) tunnels has been added to the networking subsystem.
The netfilter subsystem has gained support for ingress-time packet classification.
Unix-domain sockets now support the splice() system call.
Support for the delay-gradient congestion-control algorithm has been merged.
The F2FS filesystem has gained support for a number of features including per-file encryption.
The control group writeback patches have been merged. This work allows for better control of data writeback within control groups, fixing an area that has not worked well for a long time.
The thermal control subsystem has a new power-allocator governor, designed to divide power among heat sources while keeping the overall temperature of the system within bounds.
The XFS filesystem has gained the ability to directly access persistent-memory devices via the DAX interface.
The CIFS filesystem can now handle (in an experimental mode) version 3.1.1 of the SMB protocol.
As always there is a long list of newly supported hardware. Have a look at the changelog.

Linux 4.1

by on June 28th, 2015

As you may have already known the headline features in this release include support for encrypted ext4 filesystems, the persistent memory block driver and the ACPI support for the ARM64 architecture.
This 4.1 release will also be a LTS release, but there is more…
If you are an owner of certain classes of Intel hardware (Intel Core i7 5960X Haswell-E CPU and Iris Graphics) you could notice better performance under this new kernel and in some cases, better battery life.
The newly-published patches for ext4 encryption support are coming out of Google and intended to land in the next major release of Android.
The block core improvements were focused on improving the multi-queue block layer (blk-mq). This code was added to Linux 3.13 and can lead to better disk performance with lower latencies by balancing the I/O workload across multiple CPU cores and also supporting multiple hardware queues. Since Linux 3.13, blk-mq has got into great shape and is delivering great performance.
After months of work the Intel-developed PMEM, the simple persistent-memory driver, has been merged improving the kernel’s support for large, non-volatile RAM devices. PMEM is a new block device driver for persistent non-volatile memory space that is mapped to the system’s physical memory space as large physical memory regions.
The ACPI work on ARM64 architecture allows for initializing CPUs, interrupt controller, and timers via ACPI tables while the memory information and rest are passed via EFI.
There has been a lot of other improvements and for more details have a look at the full changelog.

Suricata 2.0.8 for Debian

by on May 10th, 2015

A security update has been released for Suricata IDS/IPS and here you can have your debian wheezy package (you can download it directly or you can configure my repository and suricata will be upgraded easily).
There are also a few bug fixes in this version that you can review reading the full changelog.
I’ve been testing 2.0.8 for a while and I don’t see any issue for the moment.

Debian 8 “Jessie”

by on May 2nd, 2015

After two years of development we finally have a new Debian stable release: Jessie!
Jessie consists of more than 43000 ready-to-use software packages, built from nearly 20100 source packages.
A total of ten architectures are supported: 32-bit PC / Intel IA-32 (i386), 64-bit PC / Intel EM64T / x86-64 (amd64), Motorola/IBM PowerPC (powerpc for older hardware and ppc64el for the new 64-bit (little-endian)), MIPS (mips (big-endian) and mipsel (little-endian)), IBM S/390 (64-bit s390x) and for ARM, armel and armhf for old and new 32-bit hardware, plus arm64 for the new 64-bit AArch64 architecture.
This makes Debian a universal operating system, one of the oldest among linux distributions and one of the widest used.
Jessie ships with a new default init system, systemd, but the sysvinit init system is still available.
The UEFI support introduced in Wheezy has also been greatly improved in Jessie. This includes support for UEFI on 32-bit systems and for 64-bit kernels with 32-bit UEFI firmware.
This release includes numerous updated software packages, such as:
Apache 2.4.10
Asterisk 11.13.1
GIMP 2.8.14
an updated version of the GNOME desktop environment 3.14
GNU Compiler Collection 4.9.2
Icedove 31.6.0 (an unbranded version of Mozilla Thunderbird)
Iceweasel 31.6.0esr (an unbranded version of Mozilla Firefox)
KDE Plasma Workspaces and KDE Applications 4.14.2
LibreOffice 4.3.3
Linux 3.16.7-ckt9
MariaDB 10.0.16 and MySQL 5.5.42
Nagios 3.5.1
OpenJDK 7u75
Perl 5.20.2
PHP 5.6.7
PostgreSQL 9.4.1
Python 2.7.9 and 3.4.2
Samba 4.1.17
Tomcat 7.0.56 and 8.0.14
Xen Hypervisor 4.4.1
the Xfce 4.10 desktop environment
For more detailed information you can read the full announcement.

Linux 4.0

by on April 18th, 2015

Attention folks we have a major release of linux!
Well if the numbers say something to you then you can consider this a major release but in reality it’s just… numbers!
This linux release is supposed to be a stable release, the commit log and the changes are not so big and a lot of new stuff have waited the opening of the merge window for 4.1 (and it seems it’s going to be huge).
The most significant new feature is the foundation code for live kernel patching, which allows critical bugs to be fixed on production servers without rebooting the kernel. This feature represents years of collaboration between the kGraft and Kpatch initiatives from SUSE and Red Hat, respectively.
In addition to the various drivers added and the bug fixes here is a short list of the main new features:
– Intel Quark SoC x86 platform support and many new ARM platform support;
– improvements for XFS, Btrfs and VirtIO 1.0 support for virtual devices;
– dm-crypt encryption mechanism scalability improvements;
– addition of lazytime, a file system mount option that improves system performance;
– kernel address sanitizer for detecting memory issues in the kernel;
– new DRM drivers and other improvements.
Don’t forget to have a look at the changelog.

grsecurity 3.1 for Debian

by on April 6th, 2015

This could be my last update for debian wheezy of grsecurity since jessie is almost ready and I’m planning to upgrade as soon as I can.
Anyway this 3.1 release updates the longterm stable branch of linux kernel to version 3.2.68 with grsecurity 3.1-20150402182.
Also its userland tool, gradm, has been updated to version 3.1-201503211320.
You should update your kernels since there are a lot of security bug fixes and a new feature (GRKERNSEC_CHROOT_RENAME) has been added to prevent root users from breaking out of a chroot jail “by exploiting a race condition between a rename of a directory within a chroot against an open of a symlink with relative path components. This feature will likewise prevent an accomplice outside a chroot from enabling a user inside the chroot to break out and make use of their credentials on the global filesystem.”
If you want to trust the chroot jail environments you have implemented you should apply this update as soon as you can.

Suricata 2.0.7 for Debian

by on April 4th, 2015

It took me a while but here is my debian stable (wheezy) packaged version of libhtp 0.5.17 and suricata 2.0.7.
This is a bugfix release so you are encouraged to upgrade as soon as you can (maybe after a little bit of testing).
Take your time to review the changelog.

Linux 3.19

by on February 10th, 2015

A new version of linux kernel is out to be compiled and used! Let’s see what news it brings.
In the hardware support we see that AMD HSA (Heterogeneous System Architecture) is closer to reality. HSA is a type of computer processor architecture that integrates central processing units and graphics processors on the same bus, with shared memory and tasks. With the landing of the AMDKFD driver (that will provide basic support for HSA with basic OpenCL kernels) it can be used in conjunction with AMD’s Radeon Gallium3D stack and their new HSA library.
Initial hardware support for Intel’s next-generation Skylake graphics has been added. Intel’s Memory Protection Extension (MPX) is a set of CPU instructions which brings increased robustness to software by checking pointer references. Intel MPX introduces new registers and new CPU instructions that operate on these registers. Modified compiler, runtime libraries and kernels can make use of these instructions to allow MPX hardware to prevent buffer overflow exploitation. This Linux release adds support in the Linux kernel. CPUs with MPX support are not yet in the market and will be introduced with the Intel Skylake and Goldmont microarchitectures.
ARM Coresight is an umbrella of technologies allowing for the debugging of ARM based SoC. ARM has developed a HW assisted tracing solution by means of different components, each being added to a design at systhesis time to cater to specific tracing needs. The Linux Coresight framework provides a kernel interface for the Coresight debug and trace drivers to register themselves with. It’s intended to build a topological view of the Coresight components based on a DT specification and configure the right series of components when a trace source gets enabled.
In the filesystem area Btrfs added support for fast and live device replacement, much faster and more efficient than adding the new device and removing the old one in separated commands. The new release include bettering off the RAID 5 and RAID 6 level support so that it’s closer to parity with the other supported RAID levels.
LZ4 compression has been added in SquashFS. It originally compressed its data with Gzip but for a few years now has supported LZMA and LZO. LZ4 is a lightweight compression algorithm and its implementation is intended for embedded systems with reduced CPU usage and lower memory overhead in comparison to Zlib.
This release also adds support for hole punching and preallocation in NFSv4.2 setups.
In the networking area this release includes infrastructure to support hardware switch chips. This include devices supporting L2/L3 but also various flow offloading chips, including switches embedded into SR-IOV NICs. Also included is a “rocker” driver for emulated switch chip implemented in qemu.
There are as always tons of minor changes and you can view all them starting from the changelog.

Suricata 2.0.6 for Debian

by on January 19th, 2015

This is another bugfix release for Suricata IDS/IPS for debian stable.
Everyone should upgrade as soon as possible since there are some evasion issues among the fixes.
Please take a minute of your time to read the changelog.

PHP-Suhosin for Debian

by on December 17th, 2014

This is a hotfix release due to some bugs as stated in the short changelog:

“This hotfix release changes the newly introduced array index blacklist to not block ‘-‘ by default due to incompatibilities with widely used software.
Also, the version string shows ‘’ now (without ‘-dev’).”

Please upgrade your packages and be sure to upgrade also the suhosin.ini file.