Administration – Page 5

Using SED in Linux to Edit Large Files

February 28, 2018 The Geek Decoder No Comments Administration

Recently I encountered a server that had an Apache configuration file that was over 500,000 lines. Changes needed to make were to comment out the CustomLog line for each domain in /etc/httpd/httpd.conf. For this command, I used SED.

NAME
sed – stream editor for filtering and transforming text

SYNOPSIS
sed [OPTION]… {script-only-if-no-other-script} [input-file]…

DESCRIPTION

Sed is a stream editor. A stream editor is used to perform basic text transformations on an input stream (a file or input from a pipeline). While in some ways similar to an editor which permits scripted edits (such as ed), sed works by making only one pass over the input(s), and is consequently more efficient. But it is sed’s ability to filter text in a pipeline which particularly distinguishes it from other types of editors.

Change directory to the log file location. Use below to see what the command will do before doing it.

# sed -n 's|CustomLog|#CustomLog|gp' /etc/apache2/conf/httpd.conf

Use this to alter the file directly.

# sed -i 's|CustomLog|#CustomLog|g' /etc/apache2/conf/httpd.conf

Linux mount CIFS Windows Share

February 27, 2018 The Geek Decoder No Comments Administration

CIFS stands for Common Internet File System. This is application-level network protocol mainly used to provide shared access to files, printers, serial ports, and miscellaneous communications between nodes. You can access CIFS share from Linux and mount them as a regular filesystem. This is handy if there is a backup service like Infrascale where you set up a windows computer to be backed up. As there is no linux application for infrascale.

The following example values will be used in this example:

IP address for the server: 192.168.1.104
Share name on Windows Server: C:\backuptemp
User name: testuser
Domain: testdomain
Mount point on Linux Server: /mnt/winmount

The environment is a Windows Domain with Active Directory. There is a file share set up as C:\backuptemp

Make the local mount point on the linux server:

# mkdir mnt/winmount

To mount the network share, use the following command and enter the password of the user:

# mount -t cifs //192.168.1.104/backuptemp /mnt/winmount -o user=testuser

Google Email delisting

February 2, 2018 The Geek Decoder No Comments Administration

Here it is:

https://support.google.com/mail/contact/msgdelivery

How do you calculate mysql max_connections variable

January 29, 2018 The Geek Decoder No Comments Administration, MySQL

The basic formulas are:

Available RAM = Global Buffers + (Thread Buffers x max_connections)
max_connections = (Available RAM – Global Buffers) / Thread Buffers

To get the list of buffers and their values:


SHOW VARIABLES LIKE '%buffer%';

Here’s a list of the buffers and whether they’re Global or Thread:

Global Buffers: key_buffer_size, innodb_buffer_pool_size, innodb_log_buffer_size, innodb_additional_mem_pool_size, net_buffer_size, query_cache_size
Thread Buffers: sort_buffer_size, myisam_sort_buffer_size, read_buffer_size, join_buffer_size, read_rnd_buffer_size, thread_stack

MariaDB [(none)]> SHOW VARIABLES LIKE '%buffer%';
+---------------------------------------+-----------+
| Variable_name                         | Value     |
+---------------------------------------+-----------+
| aria_pagecache_buffer_size            | 134217728 |
| aria_sort_buffer_size                 | 134217728 |
| bulk_insert_buffer_size               | 8388608   |
| innodb_blocking_buffer_pool_restore   | OFF       |
| innodb_buffer_pool_instances          | 1         |
| innodb_buffer_pool_populate           | OFF       |
| innodb_buffer_pool_restore_at_startup | 0         |
| innodb_buffer_pool_shm_checksum       | ON        |
| innodb_buffer_pool_shm_key            | 0         |
| innodb_buffer_pool_size               | 134217728 |
| innodb_change_buffering               | all       |
| innodb_log_buffer_size                | 8388608   |
| join_buffer_size                      | 131072    |
| join_buffer_space_limit               | 2097152   |
| key_buffer_size                       | 16777216  |
| mrr_buffer_size                       | 262144    |
| myisam_sort_buffer_size               | 8388608   |
| net_buffer_length                     | 8192      |
| preload_buffer_size                   | 32768     |
| read_buffer_size                      | 262144    |
| read_rnd_buffer_size                  | 524288    |
| sort_buffer_size                      | 524288    |
| sql_buffer_result                     | OFF       |
+---------------------------------------+-----------+

Lets find out the RAM:

# free -b
              total        used        free      shared  buff/cache   available
Mem:     3975184384   978608128  1691045888     9445376  1305530368  2661937152

Lets get our data together.

RAM = 3975184384
Global Buffers: key_buffer_size, innodb_buffer_pool_size, innodb_log_buffer_size, innodb_additional_mem_pool_size, net_buffer_length, query_cache_size
or, from above…
Global Buffers: 16777216 + 134217728 + 8388608 + 0 + 8192 + 0 = 159391744

Thread Buffers: sort_buffer_size, myisam_sort_buffer_size, read_buffer_size, join_buffer_size, read_rnd_buffer_size, thread_stack
or, from above…
Thread Buffers: 524288 + 8388608 + 262144 + 131072 + 524288 + 0 = 9830400

With this information, the following is the calculation:
max_connections = (Available RAM – Global Buffers) / Thread Buffers
max_connections = (3975184384 – 159391744) / 9830400

So the formula shows 378 Max Connections on this machine

Test info with mysqltuner

Log into your server with a root or sudo user via SSH.
Download MySQLTuner by executing the following command:


wget -O mysqltuner.pl https://raw.githubusercontent.com/major/MySQLTuner-perl/master/mysqltuner.pl --no-check-certificate

Give the script 775 permissions:


chmod 775 mysqltuner.pl

Run the script with the following command:


perl mysqltuner.pl

Resources:
Handy Calculator Download: https://journeyontux.wordpress.com/2011/12/22/calculate-number-of-connections-for-mysql-server/
Another Calculator: http://www.mysqlcalculator.com/

Add second hard drive to linux

January 23, 2018 The Geek Decoder No Comments Administration

Here is how to add a second disk to linux. In this article, the OS is CentOS 7.

Check to see how many drives are installed: You can do this using the df and fdisk command:


# df -h
Filesystem                     Size  Used Avail Use% Mounted on
/dev/mapper/centos_plesk-root   14G  3.9G   10G  29% /
devtmpfs                       910M     0  910M   0% /dev
tmpfs                          920M  4.0K  920M   1% /dev/shm
tmpfs                          920M  8.6M  912M   1% /run
tmpfs                          920M     0  920M   0% /sys/fs/cgroup
/dev/sda1                      497M  215M  282M  44% /boot
tmpfs                          184M     0  184M   0% /run/user/1000

The above information show the primary disk as sda.

Use fdisk to identify the second drive:


# fdisk -l

Disk /dev/sda: 17.2 GB, 17179869184 bytes, 33554432 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x000ab095

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *        2048     1026047      512000   83  Linux
/dev/sda2         1026048    33554431    16264192   8e  Linux LVM

Disk /dev/sdb: 17.2 GB, 17179869184 bytes, 33554432 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

The sdb drive is the second drive and it has no information on the mount points.

Now we can partition the drive. To partition the disk – /dev/sdb, enter:


# fdisk /dev/sdb

For help using the partitioner, use the “m” command:


Command (m for help): m
Command action
   a   toggle a bootable flag
   b   edit bsd disklabel
   c   toggle the dos compatibility flag
   d   delete a partition
   l   list known partition types
   m   print this menu
   n   add a new partition
   o   create a new empty DOS partition table
   p   print the partition table
   q   quit without saving changes
   s   create a new empty Sun disklabel
   t   change a partition's system id
   u   change display/entry units
   v   verify the partition table
   w   write table to disk and exit
   x   extra functionality (experts only)

Command (m for help):

partitions using the command “p”:


Command (m for help): p

Disk /dev/sdb: 50.0 GB, 50019202560 bytes
255 heads, 63 sectors/track, 6081 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot    Start       End    Blocks   Id  System

Command (m for help):

To create a new partition, issue the command “n” and then select “p” for primary and 1-4 depending on which partition on the drive this is (first, second, third, or fourth):

n(creates a new partition)

p(creates a primary partition)

1(the number 1 denotes the partition will be /dev/sdb1)


Command (m for help): n
Command action
  e   extended
  p   primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-6081, default 1): 1
Last cylinder or +size or +sizeM or +sizeK (1-6081, default 6081): 6081

To save the partition, use the “w” command:


Command (m for help): w


The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

Now we can check to see if the partition is there:

# fdisk -l

Disk /dev/sda: 17.2 GB, 17179869184 bytes, 33554432 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x000ab095

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *        2048     1026047      512000   83  Linux
/dev/sda2         1026048    33554431    16264192   8e  Linux LVM

Disk /dev/sdb: 17.2 GB, 17179869184 bytes, 33554432 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x884e64a3

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1            2048    33554431    16776192   83  Linux

Format the new disk using mkfs.ext3 command:

To format Linux partions using ext3fs on the new disk, issue the following command:


# mkfs.ext3 /dev/sdb1

To format Linux partions using ext4fs on the new disk, issue the following command:

# mkfs.ext4 /dev/sdb1

Output (for using ext4):

# mkfs.ext4 /dev/sdb1
mke2fs 1.42.9 (28-Dec-2013)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
1048576 inodes, 4194048 blocks
209702 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=2151677952
128 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
        4096000

Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

Mount the new disk using the mount command. First, you’ll need to create a mount point. We’ll use /disk2. This is where we’ll mount /dev/sdb1. Enter the following commands:


# cd /
# mkdir disk2
# mount /dev/sdb1 /disk2
# df -h
Filesystem                     Size  Used Avail Use% Mounted on
/dev/mapper/centos_plesk-root   14G  3.9G   10G  29% /
devtmpfs                       910M     0  910M   0% /dev
tmpfs                          920M  4.0K  920M   1% /dev/shm
tmpfs                          920M  8.6M  912M   1% /run
tmpfs                          920M     0  920M   0% /sys/fs/cgroup
/dev/sdb1                       16G   47M   15G   1% /disk2
/dev/sda1                      497M  215M  282M  44% /boot
tmpfs                          184M     0  184M   0% /run/user/0

Edit /etc/fstab so the new drive will automatically mount to /disk1 on reboot. Add the following:
/dev/sdb1 /disk2 ext4 defaults 0 0

# nano /etc/fstab
# Created by anaconda on Wed Dec  6 19:53:05 2017
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos_plesk-root /                       xfs     defaults        0 0
UUID=f9b133be-f059-45e2-a296-ccddb4cebe06 /boot                   xfs     defaults        0 0
/dev/mapper/centos_plesk-swap swap                    swap    defaults        0 0
/dev/sdb1       /disk2      ext4    defaults        0 0

Mount the disk

# mount -a

Cron Format

January 22, 2018 The Geek Decoder No Comments Administration

How Cron works:

<Minute> <Hour> <Day_of_the_Month> <Month_of_the_Year> <Day_of_the_Week>

* * * * * *
| | | | | | 
| | | | | +-- Year              (range: 1900-3000)
| | | | +---- Day of the Week   (range: 1-7, 1 standing for Monday)
| | | +------ Month of the Year (range: 1-12)
| | +-------- Day of the Month  (range: 1-31)
| +---------- Hour              (range: 0-23)
+------------ Minute            (range: 0-59)

Examples:


0 0 * * * *                         Daily at midnight

5 minutes after midnight each day

05     0      *       *       *       root

Add Gzip to Plesk Server

January 12, 2018 The Geek Decoder No Comments Administration, Plesk

Instructions
Login to your Plesk server.
Select the domain you wish to enable gzip for from the left hand side.
Click in Apache and nginx settings:

Down the bottom, add the following to the “Additional nginx directives” field:

gzip on;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
gzip_proxied any;
gzip_types text/plain text/css application/x-javascript application/javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/bmp image/svg+xml;
gzip_vary on;

Click OK to save.
Verify with GTMetrix.com

Another way is to set up deflate.

First you need to check the module mod_deflate is enabled on the server.

In plesk:

Or, in ssh:

 
# httpd -M |grep deflate

Then you need to create the file /etc/httpd/conf.d/deflate.conf


# vim /etc/httpd/conf.d/deflate.conf

and add the following into it.

 
<ifmodule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
DeflateCompressionLevel 8
</ifmodule>

Restart Apache


/etc/init.d/httpd restart

Chech here – https://checkgzipcompression.com

Nmap Script to Test SSL Versions and Cipher Suites

January 9, 2018 The Geek Decoder No Comments Administration

Included in NMap is a script called ssl-enum-ciphers, which will let you scan a target and list all SSL protocols and ciphers that are available on that server. You can also narrow it down by specifying a port number with the -p option.

This tool comes in handy if you’re doing a vulnerability scan and you need to make some changes to a server and you want to test those changes. This will allow you to perform a quick scan without needing to do a complete vulnerability scan.

$ nmap --script ssl-enum-ciphers -p 443 testdomain.com

Starting Nmap 7.40 ( https://nmap.org ) at 2018-01-09 12:18 CST
Nmap scan report for testdomain.com (192.99.236.66)
Host is up (0.065s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A

Error 401: Unauthorized: Access is denied due to invalid credentials

January 5, 2018 The Geek Decoder No Comments Administration

When getting an error in Windows 2008 R2, Error 401: Unauthorized: Access is denied due to invalid credentials

See – https://www.codeproject.com/Answers/418802/Unauthorized-Access-is-denied-due-to-invalid-c#answer1

Specifically Solution 6 with a minor adjustment.

Right click on the folder in Explorer and choose Properties.

In Security tab add ‘IIS_IUSRS’ and ‘NETWORK SERVICE’ and give full control to both user.

Also check Authentication. Set up the Anonymous Authentication to Application Pool Identity. Check others and disable as needed.

Fix the Spectre on a CentOS/RHEL/Fedora/Oracle/Scientific Linux

January 5, 2018 The Geek Decoder No Comments Administration

How to Fix the Spectre on a CentOS/RHEL/Fedora/Oracle/Scientific Linux
For Example, CentOS 7

Type the following yum command:

# uname -r
3.10.0-693.2.2.el7.x86_64

# sudo yum update

CentOS 7 output

====================================================================================================================================================================================================
 Package                                            Arch                                  Version                                                      Repository                               Size
=====================================================================================================================================================================================================
Installing:
 kernel                                             x86_64                                3.10.0-693.11.6.el7                                          updates                                  43 M
 kernel-devel                                       x86_64                                3.10.0-693.11.6.el7                                          updates                                  14 M
Updating:
 iwl100-firmware                                    noarch                                39.31.5.1-57.el7                                             updates                                 152 k
 iwl1000-firmware                                   noarch                                1:39.31.5.1-57.el7                                           updates                                 215 k
 iwl105-firmware                                    noarch                                18.168.6.1-57.el7                                            updates                                 236 k
 iwl135-firmware                                    noarch                                18.168.6.1-57.el7                                            updates                                 245 k
 iwl2000-firmware                                   noarch                                18.168.6.1-57.el7                                            updates                                 239 k
 iwl2030-firmware                                   noarch                                18.168.6.1-57.el7                                            updates                                 248 k
 iwl3160-firmware                                   noarch                                22.0.7.0-57.el7                                              updates                                 1.5 M
 iwl3945-firmware                                   noarch                                15.32.2.9-57.el7                                             updates                                  90 k
 iwl4965-firmware                                   noarch                                228.61.2.24-57.el7                                           updates                                 103 k
 iwl5000-firmware                                   noarch                                8.83.5.1_1-57.el7                                            updates                                 296 k
 iwl5150-firmware                                   noarch                                8.24.2.2-57.el7                                              updates                                 149 k
 iwl6000-firmware                                   noarch                                9.221.4.1-57.el7                                             updates                                 169 k
 iwl6000g2a-firmware                                noarch                                17.168.5.3-57.el7                                            updates                                 312 k
 iwl6000g2b-firmware                                noarch                                17.168.5.2-57.el7                                            updates                                 312 k
 iwl6050-firmware                                   noarch                                41.28.5.1-57.el7                                             updates                                 245 k
 iwl7260-firmware                                   noarch                                22.0.7.0-57.el7                                              updates                                 1.1 M
 kernel-headers                                     x86_64                                3.10.0-693.11.6.el7                                          updates                                 6.0 M
 kernel-tools                                       x86_64                                3.10.0-693.11.6.el7                                          updates                                 5.1 M
 kernel-tools-libs                                  x86_64                                3.10.0-693.11.6.el7                                          updates                                 5.1 M
 linux-firmware                                     noarch                                20170606-57.gitc990aae.el7                                   updates                                  35 M
 microcode_ctl                                      x86_64                                2:2.1-22.2.el7                                               updates                                 1.1 M
 python-perf                                        x86_64                                3.10.0-693.11.6.el7                                          updates                                 5.1 M
Removing:
 kernel                                             x86_64                                3.10.0-514.21.1.el7                                          @updates                                148 M

Transaction Summary
=====================================================================================================================================================================================================
Install   2 Packages
Upgrade  22 Packages
Remove    1 Package

Total download size: 120 M
Is this ok [y/d/N]:

You must reboot your Linux server using shutdown/reboot command:

$ sudo reboot

$ uname -r
3.10.0-693.11.6.el7.x86_64

Verify all 3 CVEs (you must see output:

$ rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'

[root@webhost ~]# rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'
- [x86] spec_ctrl: Eliminate redundant FEATURE Not Present messages (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
- [x86] mm/kaiser: init_tss is supposed to go in the PAGE_ALIGNED per-cpu section (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: svm: spec_ctrl at vmexit needs per-cpu areas functional (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
- [x86] kaiser/mm: skip IBRS/CR3 restore when paranoid exception returns to userland (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
- [x86] kaiser/mm: consider the init_mm.pgd a kaiser pgd (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: Prevent unwanted speculation without IBRS (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
- [x86] entry: Remove trampoline check from paranoid entry path (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
- [x86] entry: Fix paranoid_exit() trampoline clobber (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
- [x86] entry: Simplify trampoline stack restore code (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
- [x86] spec_ctrl: remove SPEC_CTRL_DEBUG code (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: add noibrs noibpb boot options (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] entry: Use retpoline for syscall's indirect calls (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] syscall: Clear unused extra registers on 32-bit compatible syscall entrance (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: cleanup unnecessary ptregscall_common function (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: CLEAR_EXTRA_REGS and extra regs save/restore (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] syscall: Clear unused extra registers on syscall entrance (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: rescan cpuid after a late microcode update (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: add debugfs ibrs_enabled ibpb_enabled (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: consolidate the spec control boot detection (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] KVM/spec_ctrl: allow IBRS to stay enabled in host userland (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: add debug aid to test the entry code without microcode (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: move stuff_RSB in spec_ctrl.h (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] entry: Stuff RSB for entry to kernel for non-SMEP platform (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] mm: Only set IBPB when the new thread cannot ptrace current thread (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] mm: Set IBPB upon context switch (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] idle: Disable IBRS when offlining cpu and re-enable on wakeup (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] idle: Disable IBRS entering idle and enable it on wakeup (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: implement spec ctrl C methods (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: save IBRS MSR value in save_paranoid for NMI (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] enter: Use IBRS on syscall and interrupts (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: swap rdx with rsi for nmi nesting detection (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: spec_ctrl_pcp and kaiser_enabled_pcp in same cachline (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: use per-cpu knob instead of ALTERNATIVES for ibpb and ibrs (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] enter: MACROS to set/clear IBRS and set IBPB (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [kvm] x86: add SPEC_CTRL to MSR and CPUID lists (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [kvm] svm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] svm: Set IBPB when running a different VCPU (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [kvm] vmx: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [kvm] vmx: Set IBPB when running a different VCPU (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [kvm] x86: clear registers on VM exit (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] kvm: pad RSB on VM transition (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] cpu/AMD: Control indirect branch predictor when SPEC_CTRL not available (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] feature: Report presence of IBPB and IBRS control (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] feature: Enable the x86 feature to control Speculation (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [tools] objtool: Don't print 'call dest' warnings for ignored functions (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [misc] locking/barriers: prevent speculative execution based on Coverity scan results (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [fs] udf: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [fs] prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [kernel] userns: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [scsi] qla2xxx: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [netdrv] p54: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [netdrv] carl9170: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [media] uvcvideo: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [x86] cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [x86] cpu/AMD: Make the LFENCE instruction serialized (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [misc] locking/barriers: introduce new memory barrier gmb() (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [x86] mm/kaiser: Replace kaiser with kpti to sync with upstream (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: add "kaiser" and "nokaiser" boot options (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: map the trace idt tables in userland shadow pgd (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: fix RESTORE_CR3 crash in kaiser_stop_machine (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: use stop_machine for enable/disable knob (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: use atomic ops to poison/unpoison user pagetables (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: use invpcid to flush the two kaiser PCID AISD (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: use two PCID ASIDs optimize the TLB during enter/exit kernel (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: stop patching flush_tlb_single (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: use PCID feature to make user and kernel switches faster (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm: If INVPCID is available, use it to flush global mappings (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/64: Fix reboot interaction with CR4.PCIDE (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/64: Initialize CR4.PCIDE early (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm: Add a 'noinvpcid' boot option to turn off INVPCID (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm: Add the 'nopcid' boot option to turn off PCID (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: validate trampoline stack (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] entry: Move SYSENTER_stack to the beginning of struct tss_struct (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: isolate the user mapped per cpu areas (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: enable kaiser in build (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: selective boot time defaults (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: handle call to xen_pv_domain() on PREEMPT_RT (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser/xen: Dynamically disable KAISER when running under Xen PV (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: add Kconfig (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: avoid false positives during non-kaiser pgd updates (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: Respect disabled CPU features (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: trampoline stack comments (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: stack trampoline (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: remove paravirt clock warning (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: re-enable vsyscalls (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: allow to build KAISER with KASRL (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: allow KAISER to be enabled/disabled at runtime (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: un-poison PGDs at runtime (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: add a function to check for KAISER being enabled (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: add debugfs file to turn KAISER on/off at runtime (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: disable native VSYSCALL (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: map virtually-addressed performance monitoring buffers (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: map debug IDT tables (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: add kprobes text section (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: map trace interrupt entry (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: map entry stack per-cpu areas (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: map dynamically-allocated LDTs (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: make sure static PGDs are 8k in size (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: allow NX poison to be set in p4d/pgd (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: unmap kernel from userspace page tables (core patch) (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: mark per-cpu data structures required for entry/exit (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: introduce user-mapped per-cpu areas (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: add cr3 switches to entry code (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: remove scratch registers (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: prepare assembly for entry/exit CR3 switching (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: Disable global pages by default with KAISER (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm: Document X86_CR4_PGE toggling behavior (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/tlb: Make CR4-based TLB flushes more robust (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm: Do not set _PAGE_USER for init_mm page tables (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] increase robusteness of bad_iret fixup handler (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [perf] x86/intel/uncore: Fix memory leaks on allocation failures (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [mm] userfaultfd: hugetlbfs: prevent UFFDIO_COPY to fill beyond the end of i_size (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [fs] userfaultfd: non-cooperative: fix fork use after free (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [mm] userfaultfd: hugetlbfs: remove superfluous page unlock in VM_SHARED case (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [mm] fix bad rss-counter if remap_file_pages raced migration (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}

Run the following dnf command if you are using a Fedora Linux:

# sudo dnf --refresh update kernel

# sudo dnf update

Reboot the Linux box:

$ sudo reboot

GEEKDECODER

Category: Administration