[Systems] Downloads with vulnerabilities

James Cameron quozl at laptop.org
Sat Dec 1 00:13:06 EST 2018


Thanks to Thomas for cleaning from 38 GB to 32 GB, but there's still
many downloads with potential and real vulnerabilities; i.e. if they
are installed, and connected to the internet, they can be infected.

For example;

- Fedora Live SoaS VM .ova files from 2014,

- XSCE VM .ova file from 2013,

- Ubuntu 12.04,

- Trisquel VMs from 2011,

- SoaS Mirabelle from 2010,

- Fedora Live from 2010,

- OpenSUSE VM from 2009.

Updating them to latest would be best, otherwise delete.

On Wed, Nov 07, 2018 at 06:54:29PM +1100, James Cameron wrote:
> ...
> 
> For account tgillard, it kept copies of virtual machines and operating
> system installers that were available from somewhere else, about 38
> GB.  No login since February 2016, no new files since 2015, and none
> of the files are recent; security risk of zero day vulnerabilities if
> installed.  Mail alias tgillard at sugarlabs.org was never used.
> 
> +CC Thomas, can we delete the account now?  Or can you clean it up and
> delete the out of date files with security vulnerabilities?
> 
> On Wed, Nov 07, 2018 at 04:31:07AM +0100, Samson Goddy wrote:
> > Peace Ojemeh just created an account yesterday.
> > 
> > On Wed, Nov 7, 2018, 4:29 AM Walter Bender <[1]walter.bender at gmail.com wrote:
> > 
> >     A few people on the list are still active: tgilliard for example. And
> >     please keep cjl's account around.
> > 
> >     On Tue, Nov 6, 2018 at 10:21 PM Bernie Innocenti <[2]bernie at codewiz.org>
> >     wrote:
> > 
> >         On 11/7/18 10:20 AM, James Cameron wrote:
> >         > Small typo in sunjammer:/etc/skel/public_html has been fixed, and
> >         > copied to affected users public_html/
> >         >
> >         > ajay aleph anurag aperez arun aurora ayush bashintosh benzea caroline
> >         > christophd cjb cjl crodas dcastelo dcrossland dsd dvd earias erikg
> >         > fran godiard ishan jminor kaametza kandarpk leio mako manusheel marco
> >         > martasd martin mokurai mostro mstone mtd mukul mvn naufraghi neeraj
> >         > nubae peaceojemeh pflores piro rasky rralcala rsl sergiodj shanjit sj
> >         > socialhelp tal tuukka werner woody wwdillingham
> >         >
> >         > Know any of these users are inactive?  Perhaps we should remove them.
> >         >
> >         > There are 119 user home directories on sunjammer.
> > 
> >         There's an old cronjob to find users with expired ldap passwords and
> >         notify them by email: /etc/cron.weekly/check_pwd_expire
> > 
> >         I ran a modified version that doesn't send email to generate this list:
> > 
> >         Note: user alsroot password has expired since 668 days
> >         Warning: user asharma has no LDAP entry
> >         Note: user bashintosh password has expired since 1197 days
> >         Warning: user dcrossland has no LDAP entry
> >         Note: user francis password has expired since 821 days
> >         Note: user francocorrea password has expired since 912 days
> >         Note: user mako password has expired since 898 days
> >         Note: user martasd password has expired since 954 days
> >         Note: user mstone password has expired since 1107 days
> >         Note: user quidam password has expired since 1068 days
> >         Note: user rolf password has expired since 991 days
> >         Note: user rralcala password has expired since 820 days
> >         Note: user sam password has expired since 429 days
> >         Warning: user tgilliard has no LDAP entry
> > 
> >         There's also system-userdel, a convenient script which removes users
> >         from ldap and other places and moves their home to /home/_disabled
> > 
> >         Feel free to to do delete all these users, except sam and rralcala who
> >         are still active. User tgilliard is actually Tgilliard in ldap... weird
> >         :-)
> > 
> >         Providing shell accounts to developers was still fashionable 10 years
> >         ago, but with things like GitLab which support the entire development
> >         ->
> >         release -> web deployment cycle, I no longer see the reason in most
> >         cases. Developer accounts have become a huge security concern due to
> >         the
> >         various CPU exploits, so I would avoid giving out more shell accounts
> >         to
> >         people who are not supposed to be root anyway.
> > 
> >         --
> >          _ // Bernie Innocenti
> >          \X/  [3]https://codewiz.org/
> >         _______________________________________________
> >         Systems mailing list
> >         [4]Systems at lists.sugarlabs.org
> >         [5]http://lists.sugarlabs.org/listinfo/systems
> > 
> >     --
> >     Walter Bender
> >     Sugar Labs
> >     [6]http://www.sugarlabs.org
> >     [7]
> >     _______________________________________________
> >     Systems mailing list
> >     [8]Systems at lists.sugarlabs.org
> >     [9]http://lists.sugarlabs.org/listinfo/systems
> > 
> > References:
> > 
> > [1] mailto:walter.bender at gmail.com
> > [2] mailto:bernie at codewiz.org
> > [3] https://codewiz.org/
> > [4] mailto:Systems at lists.sugarlabs.org
> > [5] http://lists.sugarlabs.org/listinfo/systems
> > [6] http://www.sugarlabs.org/
> > [7] http://www.sugarlabs.org/
> > [8] mailto:Systems at lists.sugarlabs.org
> > [9] http://lists.sugarlabs.org/listinfo/systems
> 
> -- 
> James Cameron
> http://quozl.netrek.org/

-- 
James Cameron
http://quozl.netrek.org/


More information about the Systems mailing list