aegiap aegiap

## gist:9e0289df24a24de0f8541815245b85b7
Bonjour,

Vous recevez cet email parce que vous figurez parmi les responsables de
plusieurs framalistes (XXX@framalistes.org, XXX@framalistes.org, YYY@framalistes.org),
hébergées par l’association Framasoft (c'est nous !).

Depuis mars 2021, le service connaît des ralentissements et des perturbations
importantes pour les personnes qui utilisent un email hébergé par SFR.

En effet, malgré notre respect scrupuleux des standards du domaine, les serveurs

## AES
AES-CBC vs AES-GCM

Until recently the only AES cipher that you were likely to encounter in the VPN world was AES-CBC (Cipher Block Chaining).
This refers to the block cipher mode, a complex subject that is not really worth going into here.

Although CBC may theoretically have some vulnerabilities, the consensus is that CBC is secure. CBC is, indeed, recommended
in the OpenVPN manual.

OpenVPN now also supports AES-GCM (Galios/Counter Mode). GCM provides authentication, removing the need for an HMAC SHA
hashing function. It is also slightly faster than CBC because it uses hardware acceleration (by threading to multiple

## gist:97d7f3f69dfde60fb8244d8b1125d423
--- /usr/share/gandi/bootstrap.d/01-config_swap.orig	2020-04-24 14:37:36.210057319 +0200
+++ /usr/share/gandi/bootstrap.d/01-config_swap	2020-04-24 14:37:50.618311531 +0200
@@ -185,17 +185,17 @@
 # if the swap device is already activated, we stop there
 /sbin/swapon -s | grep -q "^$swap_device " && exit 0

-# We read the files for the configuration from the disk and not
-# the swap partition.
-# If a valid tar archive extracts with no error at offset 4k*128,
-# use it. Otherwise continue with swap creation logic.

## hb_all_books_dl.js
/*
After purchasing a humble book bundle, go to your download page for that bundle.
Open a console window for the page and paste in the below javascript
*/

function getTitle() {
  var re = /^Humble\ Book\ Bundle\:\ (.*)\ \(/g;
  return re.exec(document.title)[1];
}

## Sapphire FS-FP5V
The Sapphire FS-FP5V will be available later this month. Consumers interested in grabbing one can order it directly through Sapphire's website. Pricing is as follows:

FS-FP5V1807B V1807B 35-54W 52093-00-40G - $450
FS-FP5V1756B V1756B 35-54W 52093-01-40G - $390
FS-FP5V1605B V1605B 12-25W 52093-02-40G - $340
FS-FP5V1202B V1202B 12-25W 52093-03-40G - $325

## gist:2cd469f3eb72903f97952473d329905e
INFO: task xenwatch:108 blocked for more than 120 seconds.
      Tainted: G        W        4.15.0-20-generic #21-Ubuntu
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
xenwatch        D    0   108      2 0x80000000
Call Trace:
 __schedule+0x297/0x8b0
 schedule+0x2c/0x80
 xennet_remove+0xda/0x1c0
 ? wait_woken+0x80/0x80
 xenbus_dev_remove+0x54/0xa0

## gist:cbd00fe5542412faa38848676c9a4ba7
Linux nanopineo 4.14.15-sunxi #28 SMP Mon Jan 29 07:24:48 CET 2018 armv7l GNU/Linux

Order "GY-NEO6MV2" GPS module from Aliexpress for $4

Add uart1 and pps-gpio fdt overlays, assign PPS pin
per https://docs.armbian.com/User-Guide_Allwinner_overlays/
Using a GPIO pin instead of a uart control pin because this
armbian kernel already has CONFIG_PPS_CLIENT_GPIO=m instead
of LDISC and not even sure it would work on a CTS pin anyway.

## NanoPi NEO armbian notes
switch ntp for ntpsec (because ?? security, support, logging features, find that accuracy/feature comparison chart again)
use gpsd from git head, armbian/debian package is several versions/features behind
gpsd -r; missing from pkg version, probably a bad idea anyway since the neo6m rtc/batt is likely for fix/ephemeris and gps will send 1969 without sat lock
gpsd -G; not working to bind * instead of localhost, try in newer version -- need this for u-center access remotely from Windows

https://www.u-blox.com/sites/default/files/products/documents/u-blox6_ReceiverDescrProtSpec_%28GPS.G6-SW-10018%29_Public.pdf
per page 39 disable SBAS, other timepulse/timing tips
see if 'static' mode available on 6m or only T versions

chronodot ds3231 rtc tcxo with battery for initial time / no fix / no network situations

## gist:ff907b9c2bfbba6deec4b94a2a4d1a9f
CVE:                 CVE-2017-3142
Document Version:    2.0
Posting date:        29 June 2017
Program Impacted:    BIND
Versions affected:   9.4.0 -> 9.8.8, 9.9.0 -> 9.9.10-P1, 9.10.0 ->
9.10.5-P1,
                     9.11.0 -> 9.11.1-P1, 9.9.3-S1 -> 9.9.10-S2,
                     9.10.5-S1 -> 9.10.5-S2
Severity:            Medium
Exploitable:         Remotely

## Bind9 CVE announces
Objet 	CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives a null command string on its control channel

CVE:                 CVE-2017-3138
Document Version:    2.0
Posting date:        12 April 2017
Program Impacted:    BIND
Versions affected:   9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2,
9.10.4->9.10.4-P7,
                     9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4,
                     9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9
	Bonjour,

	Vous recevez cet email parce que vous figurez parmi les responsables de
	plusieurs framalistes (XXX@framalistes.org, XXX@framalistes.org, YYY@framalistes.org),
	hébergées par l’association Framasoft (c'est nous !).

	Depuis mars 2021, le service connaît des ralentissements et des perturbations
	importantes pour les personnes qui utilisent un email hébergé par SFR.

	En effet, malgré notre respect scrupuleux des standards du domaine, les serveurs
	AES-CBC vs AES-GCM

	Until recently the only AES cipher that you were likely to encounter in the VPN world was AES-CBC (Cipher Block Chaining).
	This refers to the block cipher mode, a complex subject that is not really worth going into here.

	Although CBC may theoretically have some vulnerabilities, the consensus is that CBC is secure. CBC is, indeed, recommended
	in the OpenVPN manual.

	OpenVPN now also supports AES-GCM (Galios/Counter Mode). GCM provides authentication, removing the need for an HMAC SHA
	hashing function. It is also slightly faster than CBC because it uses hardware acceleration (by threading to multiple
	--- /usr/share/gandi/bootstrap.d/01-config_swap.orig 2020-04-24 14:37:36.210057319 +0200
	+++ /usr/share/gandi/bootstrap.d/01-config_swap 2020-04-24 14:37:50.618311531 +0200
	@@ -185,17 +185,17 @@
	# if the swap device is already activated, we stop there
	/sbin/swapon -s \| grep -q "^$swap_device " && exit 0

	-# We read the files for the configuration from the disk and not
	-# the swap partition.
	-# If a valid tar archive extracts with no error at offset 4k*128,
	-# use it. Otherwise continue with swap creation logic.
	/*
	After purchasing a humble book bundle, go to your download page for that bundle.
	Open a console window for the page and paste in the below javascript
	*/

	function getTitle() {
	var re = /^Humble\ Book\ Bundle\:\ (.*)\ \(/g;
	return re.exec(document.title)[1];
	}
	The Sapphire FS-FP5V will be available later this month. Consumers interested in grabbing one can order it directly through Sapphire's website. Pricing is as follows:

	FS-FP5V1807B V1807B 35-54W 52093-00-40G - $450
	FS-FP5V1756B V1756B 35-54W 52093-01-40G - $390
	FS-FP5V1605B V1605B 12-25W 52093-02-40G - $340
	FS-FP5V1202B V1202B 12-25W 52093-03-40G - $325
	INFO: task xenwatch:108 blocked for more than 120 seconds.
	Tainted: G W 4.15.0-20-generic #21-Ubuntu
	"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
	xenwatch D 0 108 2 0x80000000
	Call Trace:
	__schedule+0x297/0x8b0
	schedule+0x2c/0x80
	xennet_remove+0xda/0x1c0
	? wait_woken+0x80/0x80
	xenbus_dev_remove+0x54/0xa0
	Linux nanopineo 4.14.15-sunxi #28 SMP Mon Jan 29 07:24:48 CET 2018 armv7l GNU/Linux

	Order "GY-NEO6MV2" GPS module from Aliexpress for $4

	Add uart1 and pps-gpio fdt overlays, assign PPS pin
	per https://docs.armbian.com/User-Guide_Allwinner_overlays/
	Using a GPIO pin instead of a uart control pin because this
	armbian kernel already has CONFIG_PPS_CLIENT_GPIO=m instead
	of LDISC and not even sure it would work on a CTS pin anyway.
	switch ntp for ntpsec (because ?? security, support, logging features, find that accuracy/feature comparison chart again)
	use gpsd from git head, armbian/debian package is several versions/features behind
	gpsd -r; missing from pkg version, probably a bad idea anyway since the neo6m rtc/batt is likely for fix/ephemeris and gps will send 1969 without sat lock
	gpsd -G; not working to bind * instead of localhost, try in newer version -- need this for u-center access remotely from Windows

	https://www.u-blox.com/sites/default/files/products/documents/u-blox6_ReceiverDescrProtSpec_%28GPS.G6-SW-10018%29_Public.pdf
	per page 39 disable SBAS, other timepulse/timing tips
	see if 'static' mode available on 6m or only T versions

	chronodot ds3231 rtc tcxo with battery for initial time / no fix / no network situations
	CVE: CVE-2017-3142
	Document Version: 2.0
	Posting date: 29 June 2017
	Program Impacted: BIND
	Versions affected: 9.4.0 -> 9.8.8, 9.9.0 -> 9.9.10-P1, 9.10.0 ->
	9.10.5-P1,
	9.11.0 -> 9.11.1-P1, 9.9.3-S1 -> 9.9.10-S2,
	9.10.5-S1 -> 9.10.5-S2
	Severity: Medium
	Exploitable: Remotely
	Objet CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives a null command string on its control channel

	CVE: CVE-2017-3138
	Document Version: 2.0
	Posting date: 12 April 2017
	Program Impacted: BIND
	Versions affected: 9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2,
	9.10.4->9.10.4-P7,
	9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4,
	9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9