Suricata 2.0.5 for Debian

by on December 16th, 2014

A bugfix update for libhtp 0.5.16 and Suricata 2.0.5 has been released for our beloved debian stable wheezy.
I recommend you to upgrade since the bugs fixed were nasty and could lead to segfaults in some conditions.

Linux 3.18

by on December 10th, 2014

Even if one nasty lockup bug, present since last version 3.17, has not been found, Linus decided to go on and release a new kernel version.
And here are the relevant changes.
Starting with hardware improvements this release added new support for a lot of ARM SoCs (the Tegra based Chromebook is the most notable one) and added PCI support on ARM64 architectures.
ACPI and power management has seen a lot of improvements along with a faster suspend and resume on machines with many CPU cores (typically servers).
Note the better support for the upcoming AMD Carrizo APUs, Wacom tablet enhancements, better game controllers support and many new media drivers.
There have also been many USB subsystem changes.
In the filesystem area Btrfs now has a new recovery and repair support, fsync fixes and many cleanups.
F2FS has seen a lot of additions like atomic and volatile writes.
Numerous minor improvements in XFS and ext4.
Graphics shows as always a lot of improvements in DRM support for AMD Radeon, Intel and Nouveau drivers.
Talking about virtualization Xen has seen added an initial paravirtualized SCSI support.
Nftables continues to grow up with added support for masquerading (IPv4 and IPv6) and many other improvements.
Please take few minutes to read the full changelog.

Suhosin 0.9.37 for Debian

by on December 4th, 2014

A new release of Suhosin, a security PHP extension, is available for debian wheezy!
Please take few minutes to read the changelog of this version.
This debian package will try to install and update the new configuration file. It’s now really well documented so I advise you to do so. The old configuration file will be renamed so you can always see what was your previous configuration until you manually delete this file.
This new configuration file is provided as is and everything is disabled, even the extension itself. To enable it you have to uncomment the first line of /etc/php5/mods-available/suhosin.ini file:


and run this command (if you are updating from my previous package you can skip this step):

php5enmod suhosin

You have to manually reload your apache configuration. This is because you can upgrade your production servers without having to rush and test your configuration before applying it.
It is recommended that you test this extension before putting it in production.
Remember that there is a useful suhosin.simulation directive that permits to log violations without blocking your applications.

grsecurity stable updates

by on November 25th, 2014

For your debian stable installation (wheezy) it’s time to update your grsecurity enabled kernel.
In my stuff page you can find version 3.0-3.2.64-201411231436 and its userland admin tool gradm, updated to version 3.0-201408301734.
As always you can download each package manually or use an automated install with my debian repositories.
Be aware that now grsecurity is offering an automated kernel build service that helps you configure and build your own kernel.
Visit the link above or the official site and e-mail Brad Spengler if you want to try this brand new service!

Linux 3.17

by on October 7th, 2014

Another Linux release, another post. Let’s see what’s new.
Over 250,000 lines of code were deleted due to the removal of a bunch (14) of old, unmaintained drivers.
Several new ARM devices are supported while some not so optimally supported ARM hardware has been stripped from the mainline kernel tree. Also ARM64 kernels can now be built with the -fstack-protector option to detect stack corruption.
The DMA-BUF cross-device synchronization has now proper fence (a fence can be attached to a buffer which is being filled or consumed by hardware, to allow userspace to pass the buffer without waiting to another device) and poll support along with other new functionality that affects many different kernel drivers.
An ACPICA update brings ACPI 5.1 support, faster hibernation, and basic work towards ACPI support on ARM. Another prominent change is the fix for the CPUfreq on-demand governor (faster and more power efficient).
Talking about virtualization there are many improvements inside KVM x86 and ARM support (KVM now works on big-endian ARM systems) and Xen can now boot using EFI under its Dom0.
In the filesystem area the main changes are for F2FS (fixes and improvements) and XFS (now has a sysfs interface).
Changes have been made to the timekeeping core in order to make it ready for the year 2038, the end of the world for unix-like OSes.
Take few minutes to have a look at the full changelog.

Suricata 2.0.4 for Debian

by on September 24th, 2014

Another bugfix release for this IDS/IPS!
Suricata is now at version 2.0.4 and it uses the same libhtp library of the previous version (0.5.15).
Update your debian machines, using my repository, while reading the changelog.

Suricata 2.0.3 for Debian

by on August 21st, 2014

Suricata IDS / IPS has been updated to the latest stable version for your debian wheezy installations!
Suricata has reached version 2.0.3 (branch 2.1 is in development) and the libhtp library packages were also updated to version 0.5.15.
You can download the single packages or, better, use my debian repository.

Linux 3.16

by on August 6th, 2014

A new kernel is out for you to be built and used. Let’s see what it brings.
There is a plethora of ARM hardware and software improvements:
– new 64-bit ARM EFI patch-set enables EFI stub support similar to the x86 one, to let the firmware function as the bootloader and to boot directly into the kernel without having to deal with a separate bootloader (such as GRUB2 or Gummiboot);
– multi-platform ARM kernel image that allows for a single Linux kernel image to work on many different ARM SoCs;
– SMP support for the Marvell Armada 375/38x and Allwinner A31;
– Xen virtualization improvements that include suspend and resume support;
– various other clean-ups and improvements.
Among other architecture work we find KVM improvements (mainly for S390, PowerPC, and MIPS), many MIPS architecture changes (including support for the Octeon III processor.) and scheduler changes and improvements.
In the filesystem area we have notable updates to Btrfs and XFS, while F2FS was updated and now comes with readahead flow enhancements, enhanced I/O flushes, support for trace-maps and support for volumes over two terabytes.
In the graphic area we can see many changes to the Nouveau driver with better hardware support (GK20A GPU, a Kepler GPU found within the Tegra K1 SoC), the usual big amount of work on the Intel DRM graphics side and also big changes on the AMD side with GPU VM and PTE optimizations along with HDMI deep color support and various bug-fixes.
As usual I recommend you read the full changelog.

grsecurity 3.0 updates for Debian

by on July 17th, 2014

Other vulnerabilities were found during the last month in our beloved linux kernel (CVE-2014-4699 is about a missing verification of the ptrace syscall that can lead to local DOS or privilege escalation) so here we are with a new grsecurity release.
This release consist of version 3.0-3.2.61-201407132023 and it’s only a bugfix update: no change in its configuration were made.
It’s only for Debian stable 7 (wheezy), amd64 port.
Please use my Debian repository to upgrade your kernels.

Suricata 2.0.2 for Debian

by on July 2nd, 2014

Here is a new updated version of Suricata intrusion detection and protection system.
In this new release, along with many bug fixes, there’s a new feature: support for NFLOG as a capture method.
If you install or upgrade this package from my repositories every dependency will be honored automatically. But if you want to install this package manually, you have to install libnetfilter-log1 library (required by the NFLOG feature) and also upgrade the libhtp package.
If you want to know how suricata was built and which feature is present, the command

suricata --build-info

will give you all the information you need.