Posts for September 2009

2009-09-10: WebAuth 3.6.2

The Stanford Information Security Office uncovered a problem with the WebLogin server that's been present since 3.5.5. Under still-mysterious circumstances, the code intended to detect cookie support would trigger and rewrite the login submission as a GET instead of a POST, causing the user's password to end up in the URL. That potentially exposes it to attacks on browser history, other people using the same systems, and to the web server to which they're authenticating in the referrer information.

This release fixes this problem by always removing the password from any redirect, not redirecting after form submission via POST on the assumption that the browser does support cookies at that point and is just lying, and rejecting all authentications via GET. The only changes are to the WebLogin server.

See the security advisory for more information.

You can get the latest version from the WebAuth web site or from my WebAuth distribution page.

2009-09-14: Lintian 2.2.15

I've been feeling like I've been neglecting Lintian, but actually, looking at the changelog, I've been doing about a release a month for the last several months. So it's more that a release a month isn't keeping up, quite, with the influx of bugs these days. To think I'd gotten it down to about 80 open bugs earlier this year....

Anyway, this release is almost entirely BTS cleanup, with no large changes or structural work. I think I knocked around 30-35 bugs off the list, which should get us down to somewhere in the 120 range. There's still some work to do to get under 100 again.

There are lots and lots of little changes, mostly cleaning up false positives. The main new test additions are a bunch of new init script checks from Raphael Geissert and the extension of various script checks to example scripts, thanks to Damyan Ivanov.

This should take care of nearly all the normal bugs and the easy minor bugs, but there are still a ton of wishlist bugs asking for new checks or expansions of existing checks. If anyone out there feels like poking at some fairly straightforward Perl code, I always try to make time to discuss possible approaches to implementing wishlist requests.

2009-09-27: Pressed life


Wow, it's been a long time since I've posted a regular journal entry.

It's been a hell of a summer, and I've put aside a lot of my normal priorities to focus on other things. Work has been a large part of that, including two different security advisories. I'm still working on the Shibboleth-related vulnerabilities, although most of my work is now done. Mixed in with that was some other urgent work and a lot of things going badly for my larger organization that meant that everyone has been on edge.

I'm also probably overdue for a vacation, and my daily momentum hasn't been what I'd like it to be. That's meant lower energy, which in turn has meant not doing as much volunteer free software work as I'd like. I've spent more weekends on video games or just vegetating in front of the television instead of programming or working on other projects. Which has meant a lot of quiet here.

As you can tell from recent reviews, I'm slowly sorting out priorities again and "turning back on" parts of my life that had been on hold or at least on slow. I have a couple more reviews to write and then I'll be caught up with the little bit of reading that I've been able to do. I'm also experimenting with a different daily schedule, shifting a bit later since that seems to be working better for me at the moment. The next step is to get back into the habit of working from a to-do list now that I don't have as many top-priority things jumping the queue and requiring all of my attention.

The picture today is pressboard I found on Rathtrevor Beach in Parksville, British Columbia. Unlike my normal tendency to just post whatever I took, perhaps with a bit of cropping, this one was sharpened (possibly too much) in Gimp, since the original seemed a bit too blurred. Learning how to do that sort of thing properly is one of those things I'd like to do but don't have time for at the moment, but maybe I can learn from a bit of small experimentation.

I went through the various blog-style or periodically updating web sites that I visit regularly and added a bunch of links to the sidebar on my journal index page for those who are curious what I read regularly.

2009-09-29: Running through the tubes

Human Habitrail

Buildings at the University of Michigan Arbor Lakes facility.

Today was, alas, not another day of getting life back in order and making productive forward progress. It was, instead, a day of babysitting a crashed AFS server. For some reason, one of our AFS servers started spewing the dreaded CPS too many lockers message and got very slow, and while I was trying to move volumes off of it, our automated scripts decided that it had passed the point of no return in terms of connections waiting for a thread and shot it in the head.

It turned out that we were running a back rev of the server (1.4.10 instead of 1.4.11), which I'm hoping was most of the problem. That certainly explains why we were having volumes randomly go off-line, as that's a known bug that was fixed in 1.4.11. I need to accelerate my work on new Debian packages incorporating some critical fixes in OpenAFS stable and get new file server backports ready to deploy on our systems, and then we need to do a rolling upgrade starting with the 1.4.10 systems.

This was a really bad time to have more AFS problems.

On the good side, I confirmed that all the nastiest symptoms of an AFS file server restart can be fixed by using iptables to prevent the AFS file server from talking to any clients until it's finished attaching volumes. This should really be done upstream if possible, but in the meantime I have iptables rules that work and can write a remctl call that we can use to cut an AFS file server off from clients when it starts having problems and keep it cut off until it recovers.

But I got absolutely nothing else done today, including responding to a critical HelpSU ticket that I need to get first thing tomorrow. I need to send them a note tonight, in fact, to tell them that I'll do that. Tomorrow will likewise probably be devoured by AFS work; hopefully by Wednesday I can get back to the other things I was supposed to be doing.

But on the bright side, review writing and posting continues, which is making me feel less behind.

Last spun 2024-01-01 from thread modified 2022-06-12