This was going to go into a Lazy Reading post, but then I realized it shouldn’t. Here’s the source: “A Tragically Comedic Security Flaw in MySQL” (via)
The short version: MySQL, compiled a certain way, will allow 1 out of 256 root login attempts to work no matter what. I was going to link to this for the startlingly large number of MySQL installations found allowing connections from the public Internet, which means breaking into any affected servers would be easy. Then I thought about it… I don’t see a my.cnf installed by pkgsrc for at least MySQL 5.1 by default.
To fix this for your own installation, put
in /usr/pkg/etc/my.cnf to disallow remote connections. I don’t know if MySQL on DragonFly from pkgsrc is vulnerable to the issue, but it’s a good idea to not allow remote connections to the database, and ought to be on by default.
Or just use Postgres, if possible.
Sepherosa Ziehau has made some changes to SIOCGIFDATA, so if you are using DragonFly-master and pf, you will need a full rebuild. Also pftop, if you use it.
If you are running bleeding-edge DragonFly, libpthread was broken for a short period. If you built anything in the last … 12 hours? You may want to rebuild it. If that doesn’t describe you, it’s a nonevent.
It’s funny that I’m reporting a short-term break in bleeding-edge operating system code as any sort of surprise. It shows something about how stable DragonFly-master is most of the time.
There’s a Day Against DRM sale going on for O’Reilly. 50% off everything, and all the books are DRM-free. I found out about this through Michael Lucas, whose No Starch books are represented there too. It’s a fantastic deal and it’s today only, so strike now while you have the chance.
(I should make a ‘buy buy buy!’ tag for articles.)
If you’re running bleeding-edge DragonFly (meaning version 3.1), you will need to do a full buildworld on your next update. ‘make quickworld’ will appear to succeed but the kernel won’t work.
If you’re running DragonFly 3.0.x, this does not affect you.
Matthias Schmidt found a discussion about DragonFly’s password encryption. The result, if I am reading it correctly, is that brute-forcing the password from available hashes is quicker than it should be. Matthias also found a contributed fix. Samuel Greear updated to match the reference SHA implementation also in Linux, with this very pertinent warning.
The answer is “not very”. As I wrote in a post to kernel@, DragonFly 3.0 will be tagged soon, and released when there’s pkgsrc-2011Q4 packages to go with it. Probably a week if everything goes to plan.
The presence of /usr/include/crypt.h in DragonFly (starting in December 2010) meant that some programs compiled during that time will expect that file to always be there. It was recently removed, so any programs compiled in that timeframe will also need to be recompiled. Right now, this affects you only if you are running DragonFly 2.13 , since that’s the only place crypt.h was removed. This may be an issue for the release, but we’ll worry about that when we get there… I’m kicking off new 2.13 bulk builds now.
There’s a rare crash in DragonFly 2.10, where applications would segfault. The system would run find. This is apparently more likely to happen in 2.12, though reports on this vary. It’s real, though.
Matthew Dillon went looking for this bug, and happened to roll back vm_token, the last lock in DragonFly that presented a serious impediment to multiprocessing. It’s a big patch. It fixes the problem, which is great! It also happens to make DragonFly buildworlds almost twice as fast depending on the number of cores in the system.
Holy crap we want to get that out… but it makes some significant changes to the system and needs to be tested. So, the next release probably won’t be for a few weeks.
If you want to help, build master and do something with it – move data, run server programs, whatever. Report crashes. This performance improvement is worth working for.
Some ISA devices have been removed from DragonFly. That probably affects approximately 0% of everyone, cause they’re old devices, but a few of them
are were in the GENERIC kernel configs, so you’ll get an error for an unrecognized option when you next rebuild your kernel using a GENERIC-based config, based on an older version of GENERIC. The description of which drivers went is quite sensibly placed in UPDATING.
If you’re running 64-bit DragonFly, and you’re on version 2.11, you will want to rebuild with the latest sources. Peter Avalos found a bug with file descriptor passing, and Venkatesh Srinivas fixed it. It will require a quickworld/kernel build – maybe a full buildworld and kernel? I’m not sure. Some pkgsrc packages might need recompilation, too if they also passed file descriptors around.
17 different ISA device drivers have been removed by Sascha Wildner. The commit message has device descriptions. This may mean you need to change your kernel configuration file on the next buildkernel, since some of them were in the GENERIC kernel. If you need any of them, speak up. (I don’t think I’ve ever used any of them. Oh darn.)
If you are a Summer of Code student or mentor, make sure you’ve filled out your midterm survey. Without it, your project fails – and they are due for everyone in roughly the next 24 hours!
Venkatesh Srinivas is making vmobj_token and vm_token much more fine-grained. That’s great, but watch out over the next few weeks as this work goes into 2.11. (i.e. don’t upgrade your DragonFly 2.11 unless you are ready for surprises.) Venkatesh has already found some.
The SMP option is now in the GENERIC kernel config. This means you’ll have a SMP-capable kernel even on an uniprocessor machine, unless you configure a special kernel.
It’s out! See the 2.10 release page for the startlingly extensive list of updates in this version. Download images from the mirrors, or follow these steps (using a 2.10 version number) to build from source.
Sascha Wildner has updated the default version of binutils in DragonFly from 2.17 to 2.21. You’ll want to do a full buildworld on your next upgrade, if you’re running DragonFly 2.9.
Also, Matthew Dillon has made version 6 the default version of Hammer in DragonFly 2.9. Version 6 has improved handling of directory names in some circumstances. Just don’t ask me which, cause I lost track. It’s been a hard day!
The mentor signup page for Google Summer of Code 2011 is available again, launched using a new interface. If you want to be a mentor, please sign up now. The student application period opens tomorrow!
The mentor signup page for Google Summer of Code 2011 as of this writing still says “We have temporarily disabled the creation of new requests and invites in preparation of the launch of the new UI for Melange later this week.”, as it has said since the 20th.
So, if you’re wanting to mentor, keep an eye on it. I’ll send mentor requests to any of the names on my list of people that have already expressed interest, if I get to a working version of the page before you do…
This shouldn’t be a surprise considering recent events: AsiaBSDCon 2011 has had some event cancellations; specifically the tutorials and meetings. The paper presentations starting on the 19th, and the banquet, are still on, however. (via)