Updates For Mozilla Firefox browser 58–>>59 and systemd 237–>>238

Archlinux updated firefox and systemd today. To get the updates, use pacman: # pacman -Syu


Update for Spectre And Meltdown, A Script for Checking Your System

I found a very nice program to run and check if my computer is vulnerable to Spectre and Meltdown. It is now March 2018. Two months after the initial reports of the vulnerabilities against computer processors, what is the state of security with regard to these two vulnerabilities?

Thank you to this script by Stephen Lesimple. The link is a git clone link. It will download everything in its directory. Inspect the script before running it as root.

There are no options. It will check your system against 3 CVE’s made for the “speculative execution” vulnerability. This is my output.

$ sudo ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.35

Checking for vulnerabilities on current system
Kernel is Linux 4.15.11-1-ARCH #1 SMP PREEMPT Mon Mar 19 18:21:03 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: YES
* CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: YES
* CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: YES
* CPU indicates STIBP capability: YES
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
* CPU microcode is known to cause stability problems: NO (model 60 stepping 3 ucode 0x24)
* CPU vulnerability to the three speculative execution attacks variants
* Vulnerable to Variant 1: YES
* Vulnerable to Variant 2: YES
* Vulnerable to Variant 3: YES

CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec: YES (1 occurence(s) found of 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch: NO
> STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Mitigation 1
* Kernel is compiled with IBRS/IBPB support: YES
* Currently enabled features
* IBRS enabled for Kernel space: UNKNOWN
* IBRS enabled for User space: UNKNOWN
* IBPB enabled: UNKNOWN
* Mitigation 2
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
> STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline, IBPB, IBRS_FW)

CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Running as a Xen PV DomU: NO

A false sense of security is worse than no security at all, see –disclaimer

Desktops and Asus Zenphones

I put together my desktop three years and two months ago. It’s an ASUS Z97 mobo paired with a 4th generation i5-4590 cpu. I am glad to go for a 16 GB RAM because I’m still smiling at how fast this machine is now after using it everyday all this time. Yes I’ve purchased hard disks and replaced old ones but I’m still using the original solid-state drive. It’s a Crucial 240 GB SSD. The whole package cost 37,000 in 2014.

I am still using my ASUS Zenphone ZE551ML. I got this smartphone in 2014. It has intel atom quad cores and a 4 GB RAM. It has android.

I had to replace my monitor last year. I am now using an AOC 22 inch IPS monitor with a Full HD resolution.

I stopped using RAID and gained back storage space. I am enjoying a total of 10 TB in pooled storage after using logical volume management to put together 5 disks. 2 of the 5 are 3 TB disks and the rest are 2 TB disks. The mix is dictated by cost. The cost effective disk is still the 3 TB capacity.

I am trying to get a high speed internet connection in our area. and waiting…

Updates For: linux kernel 4.14 –>> 4.15 ; systemd 236–>>237 And Libreoffice 5–>>6

I just ran my weekly Arch update with $ pacman -Syu

I updated my linux kernel from 4.14.15.x to 4.15.2.x.

Libreoffice is now running version 6. systemd updated from 236 to 237.

Pacman replaced the following packagaes with the ones in extra/repos.
[2018-02-12 13:24] [ALPM] removed xineramaproto (1.2.1-3)
[2018-02-12 13:24] [ALPM] removed xf86vidmodeproto (2.3.1-3)
[2018-02-12 13:24] [ALPM] removed videoproto (2.3.3-1)
[2018-02-12 13:24] [ALPM] removed scrnsaverproto (1.2.2-2)
[2018-02-12 13:24] [ALPM] removed renderproto (0.11.1-3)
[2018-02-12 13:24] [ALPM] removed recordproto (1.14.2-2)
[2018-02-12 13:24] [ALPM] removed randrproto (1.5.0-1)
[2018-02-12 13:24] [ALPM] removed kbproto (1.0.7-1)
[2018-02-12 13:24] [ALPM] removed inputproto (2.3.2-1)
[2018-02-12 13:24] [ALPM] removed fontsproto (2.1.3-2)
[2018-02-12 13:24] [ALPM] removed damageproto (1.2.1-3)
[2018-02-12 13:24] [ALPM] removed compositeproto (0.4.2-3)
[2018-02-12 13:24] [ALPM] removed fixesproto (5.0+9+g4292ec1-1)
[2018-02-12 13:24] [ALPM] removed xproto (7.0.31-1)
[2018-02-12 13:24] [ALPM] removed xextproto (7.3.0-1)

Installed Squid: A Web Cache Service On My Box

I am familiar with web servers. Boxes that you connect to in your LAN to get a web page. A very popular program that runs a web cache is Squid. What is new to me is that I can run Squid in my box so it serves the localhost and any programs that needs to connect to web resources. In any case, my desktop box can also function as a web server down the line if needed.

In Arch, install Squid with the command # pacman -S squid.

The configuration file is /etc/squid/squid.conf. The default cache directory is /var/cache/squid.

The only item i really have to modify is the http_port. The default port that Squid uses is 3128. Now I want all traffic which goes through the default network interface to be redirected to Squid. This is called transparency. To configure Squid just add [intercept] in the line like so: http_port 3128 intercept.

When you finish modifying the configuration file run a check with the command #squid -k check. Also, checking the logs can be very helpful. I got an ERROR: No forward proxy port configured message several times. I checked the squid-cache website too and I got this explanation from them.

Squid has been configuered without any port capable of receiving forward-proxy traffic.

Squid occasionally needs to generate URLs for clients to fetch supplementary content. Images in error pages or FTP and Gopher indexes, cache digests, NetDB, cache manager API, etc.

In order to produce a valid URL Squid requires a port configured to receive normal forward-proxy traffic. The standard well-known port assigned for this is port 3128.

This error occurs when port 3128 has been incorrectly altered into a interception port.

So my fix is to configure another port as a dedicated forwarding port for Squid. I added http_port 3129 next to http_port 3128 intercept in the config file.

Start / Enable the service with # systemctl start squid.service and # systemctl enable squid.service.

How To Get An Archiso Ready In A USB Device

You will need a computer with an internet connection. You will have to download the installation media from the Download page of the Archlinux.org. It is better to download from the official site rather than a third-party mirror server. It is recommended that you checksum the download with the iso signature also downloadable from the Download page.

I usually download using the magnet link (through torrent, using a torrent client) because it’s faster and it’s my way of giving back by seeding it for a while. I keep the latest .iso and the .iso.sig files in its own directory. Then do the checksum with # gpg –keyserver-options –auto-key-retrieve –verify archlinux-yy-nn-dd-x86_64.iso.sig

The Straight Forward Easy Way

We will use the dd command. It will overwrite the entire USB flash drive and any data will be deleted. You won’t be able to write any data when using the installation media. You can zero out the USB flash drive if you want to reuse the device with # dd bs=512 if=/dev/zero of=/dev/sdx count=1 status=progress oflag=sync.

To create the Archlinux installer USB device type the command # dd bs=4M if=/path/to/archiso/archlinux-dd-mm-dd-x86_64.iso of=/dev/sdx status=progress oflag=sync.

If You Are In A Linux Distro With GNOME
You can use nautilus and gnome-disk-utility. Just right-click on the .iso file and choose Image Writer. Image Writer will use the entire USB device. You will end up with a live media and a USB drive where you can still save personal files.

Step Outline For Rebuilding AUR Packages In Arch

Once again Arch updates for webkitgtk breaks gnucash. Gnucash is an accounting / cash application i depend on for keeping track of my expenses. It’s been moved from the official repos to the Arch User Repo or AUR. What this means for users is that responsibility for updates (including dependencies) passes solely to users. Any dependencies that get updates must be rebuilt. The only problem with webkitgtk rebuild is that it takes ages to build it. In my case it is 4 hours.

First, check if your system has the tools.
# sudo pacman -S base-devel git dev-tools –needed

Prepare the filesystem on which you will build the package.
# sudo mount -o remount,exec,suid /tmp
# sudo mkdir /tmp/source/chroot -p
# cd /tmp/source

Create the chroot.
# sudo mkarchroot chroot/root base-devel

It’s time to get the package sources.
# git clone “https://aur.archlinux.org/package_name.git”
# cd package_name_directory
# makechrootpkg -T -r ../chroot/
The -T flag creates a temporary chroot directory while the -r flag points to the original chroot directory.

You will have to repeat the steps above for all the packages that needed to be built and copy the *.pkg.tar.xz to the /var/cache/pacman/pkg diirectory. Copying the built package to the pacman cache directory means you don’t have to build all the packages again unnecessarily every time updates happen. You only build those packages affected.

Copy the *.pkg.tar.xz to /var/cache/pacman/pkg/.
# sudo cp *.pkg.tar.xz /var/cache/pacman/pkg/

Build the main package.
# makechrootpkg -T -r ../chroot/ -I /path-to-package/package_name.pkg.tar.xz

Install the package.
# sudo pacman -U /path-to-package/package_name.pkg.tar.xz

Problem With Mail Authentication In Evolution Mail

I encounter this pervasive and nagging bug in Evolution Mail’s strange relationship with its co-GNOME app called Seahorse (although this app goes by the name of Password And Keys now in GNOME 3.26). I have a secondary email account and I want to use it for sending mail (smtp) temporarily (just in this case). So I finished composing my email and clicked send. Then it asked me for my smtp password and I thought that was odd because I have been receiving my email in the inbox for this account. It’s unlikely a user would have a different password for login and another for sending email. But I found my password from my password manager and gave it the correct one ( copy and paste). And here it began, the Mail Authentication Failure window from Evolution continually asking for the password. I checked Seahorse for the password by entering a filter in the search bar. It has my password and it is the correct password. So what is happening here?

I found this same problem in the Ubuntu forum and Ask Ubuntu forum where there were several suggestions of deleting the email account in Evolution, or deleting the entry for the email account tokens in Seahorse. There was even a couple of patches introduced back in 2014 so it should be included in the latest version of Evolution Mail and Seahorse. But again here we are.

My last desperate attempt at fixing my problem comes through the GNOME Online Accounts where it is now just a tab in Settings.

So here goes. My first step was to close both Seahorse and Evolution. Then I opened Evolution, to verify the problem is still there. I might have logout too. But I don’t see the point.

I disabled the account. In my case I have only one account nagging me. So I disable it by going to ALT+E(dit), A(ccount) and choosing the account.

I opened the GNOME Online Accounts and choose the available services as you can see above. This is when I remember that I didn’t create an account here for GOA. Tip: if you have an account in Evolution and it didn’t come through GOA you might encounter this problem.

That’s it. Once the account is created in GOA, it appears in Evolution. And no nagging.