GnuTLS vulnerability now fixed in many linux distributions

Earlier this week, a new security vulnerability was discovered in the GnuTLS SSL/TLS library.
The vulnerability, indexed as CVE-2014-0092 or GNUTLS-SA-2014-2, affects the code responsible for verification of X.509 certificates and could potentially allow eavesdropping of encrypted network traffic.

The good news for linux users and system administrators is that the problem has been resolved in GnuTLS version 3.2.12.
Fixes are already available for most enterprise and desktop linux distributions, and patches have been published in the version 2.12.x git tree.
However, as both Ars Technica  and Tom’s Guide have suggested, the vulnerability might affect more than just linux servers and workstations.
As a matter of fact, any application or appliance relying on a pre-3.2.12 version of GnuTLS is vulnerable and will require an update..

Here’s a collection of related advisories for linux distributions:

Debian
http://www.debian.org/security/2014/dsa-2869

Fedora
https://bugzilla.redhat.com/show_bug.cgi?id=1071795

Red Hat
https://www.redhat.com/security/data/cve/CVE-2014-0092.html

Suse
http://support.novell.com/security/cve/CVE-2014-0092.html

Ubuntu
http://www.ubuntu.com/usn/usn-2127-1/

New series: the Fedora 20 experience

Fedora® Project logo

In its tenth year of life, the Fedora® Project released version 20 “Heisenbug” last december.
I’ve been running Heisenbug for a little over a month now, and I’d like to share my thoughts on some of the distribution’s newest features.

The first article in this series will discuss the new software mangement interface that comes with Fedora’s Gnome 3 default desktop: Gnome Software.

I already have a few other topics in mind, but I’m open to suggestions. Feel free to submit your proposals using the comment box at the bottom of this page, or via Twitter.

Interrupt remapping problems with Intel 5500, 5520 CPUs

A well known and documented flaw in the Intel VT-d Interrupt Remapping engine affects early revisions of the Intel 5500/5520 CPUs.
The problem was documented by Intel in a september 2011 update to the 5500/5520 chipset specifications
Many hardware vendors have since chosen to disable this feature on affected systems via BIOS updates.

In my work as a technical support engineer I have come across many different problems caused by faulty Interrupt Remapping, with varying symptoms.
Depending on which device is affected, a system may lose network connectivity, access to storage devices, or experience a panic.
This can result in unmanageable hosts, unresponsive or failed virtual machines, system hangs or unexpected reboots.

On linux hosts, Interrupt Remapping can be disabled by booting the system with intremap=off.
On VMware ESX/ESXi hosts, the same result can be achieved by setting the iovDisableIR kernel parameter to TRUE.

Over the course of the past two years, a few hardware and software vendors I have worked with have published articles describing this issue.
Some of these are relatively new, others have been recently updated and improved.
I have referenced them below, in alphabetical order.

Cisco
Disable Interrupt Remapping UCS for UC Applications

Citrix
Intel 55×0 Chipset Errata – Interrupt Remapping Issue

IBM
HBAs and other PCI devices may stop responding in VMware ESX or ESXi 4 – IBM Servers

Red Hat
Why do I see “kernel: do_IRQ: X.Y No irq handler for vector (irq -1)” messages on systems with Intel 5500 and 5520 chipsets?

Suse
Faulty Intel chipsets cause problems with interrupt remapping

VMware
vHBAs and other PCI devices may stop responding in ESXi 5.x and ESXi/ESX 4.1 when using Interrupt Remapping (1030265)

Additional note on linux:
Earlier this year, a patch was introduced in the Linux kernel to warn system administrator that their system is affected by this problem.
To my knowledge, this patch is included in recent kernel updates for the OpenSuSE, SLES, Fedora and RHEL linux distributions.