2016/03/24

aptitude update 找不到 GPG key 的處理

執行的 aptitude update 以後,出現錯誤訊息:
W: GPG error: http://ppa.launchpad.net trusty InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 00A6F0A3C300EE8C
W: GPG error: http://ppa.launchpad.net trusty InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 4F4EA0AAE5267A6C

可以透過下列指令去 import keys:
sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com {KEY}

例如上面的錯誤,可以這樣 import key:
sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 00A6F0A3C300EE8C
sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 4F4EA0AAE5267A6C

reference: How do I fix the GPG error “NO_PUBKEY”?

2016/03/17

Ubuntu PPA for new version of Git

舊版本的 git 有安全性漏洞,需要升級到 2.7.1 以上版本
server and client side remote code execution through a buffer overflow in all git versions before 2.7.1 (unpublished ᴄᴠᴇ-2016-2324 and ᴄᴠᴇ‑2016‑2315)


Ubuntu 14.04 的 git 還在 1.x,只好靠 PPA 抓新版本:
sudo add-apt-repository ppa:git-core/ppa
sudo aptitude update && sudo aptitude upgrade

2016/03/02

SSLv2 可能也不安全了

More than 11 million HTTPS websites imperiled by new decryption attack
http://arstechnica.com/security/2016/03/more-than-13-million-https-websites-imperiled-by-new-decryption-attack/

解釋:
最新的 SSL connection 攻擊:DROWN attack
https://blog.gslin.org/archives/2016/03/02/6381/


目前自己的機器好像沒受到影響,被份一下 nginx 的 HTTP 設定 (從多方搜尋來得設定值):
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;


若不清楚自己的 server 設定是否安全,可以透過 SSL Labs 提供的服務,來檢查是否有什麼潛在的問題。