Xen 4.1.3 RPMs available

Just finishing off the final touches to my Xen RPMs for version 4.1.3. Changes from the Xen release notes include:

Xen.org is pleased to announce the release of Xen 4.0.4 and 4.1.3. These fix the following critical vulnerabilities: * CVE-2012-0217 / XSA-7: PV guest privilege escalation vulnerability * CVE-2012-0218 / XSA-8: guest denial of service on syscall/sysenter exception generation * CVE-2012-2934 / XSA-9: PV guest host Denial of Service * CVE-2012-3432 / XSA-10: HVM guest user mode MMIO emulation DoS vulnerability * CVE-2012-3433 / XSA-11: HVM guest destroy p2m teardown host DoS vulnerability

We recommend all users of the 4.0 and 4.1 stable series to update to these latest point releases.

Among many bug fixes and improvements (over 100 since Xen 4.1.2): * Updates for the latest Intel/AMD CPU revisions * Bug fixes and improvements to the libxl tool stack * Bug fixes for IOMMU handling (device passthrough to HVM guests) * Bug fixes for host kexec/kdump

NOTE: My previous 4.1.2 packages were already fixed for XSA-7, XSA-8, and XSA-9.

The new packages can be installed via yum - or if you're a first time installer, you should follow the guide.

Why the job market sucks

I came across an advertisement today looking for Linux Engineers with a speciality in virtualisation, PHP/Perl/Bash coding, and VoIP. Interested, I looked up the mob that was advertising it.

It turns out there is a relatively swish looking recruitment firm called Super Coders. Of course, a little digging says its also called Flat Rate Recruitment - but that doesn't sound anywhere near as appealing :)

So I give them a call thinking that they may actually be a decent company - and of course have to leave a name and number for someone to call me back.

They did call back, but strangely enough, the position advertised had already closed (or did it even exist in the first place?) and the only thing the person who called me back was interested in is getting a resume. He did mention another possible position, but wasn't willing to discuss it with me - Just send in a resume!.

I believe this is what is wrong with the job sector at the moment. I remember my first IT position. I registered with a job agency and it was their purpose to get me a job! Now, it seems everyone harvests resumes to justify their existence and plop the first 20 that come out of their basic search to companies that actually advertise jobs.

Why the industry has changed so much is beyond me. Has the care by recruitment agencies disappeared that much that beyond collecting their fees, they don't care about the real suitability of the person for a job?

Anyone else come across things like this?

Site moves to SSL only.

In protest of Telstra and their offensive strategy of recently sending all web browsing URLs to a third party in a different country, I have migrated ALL of the www.crc.id.au domain to use SSL encryption to keep spying eyes out of your data.

As Telcos have proven time and time again that they cannot be trusted to uphold the privacy of their customers, I shall be looking at migrating further sites as I get time.

After Telstra got busted doing this, a key quote from the CEO states: "We stopped the program immediately, as this was the right thing to do," Mr Thodey said. I find it offensive that he only thinks that it is the right thing to do when they have been publicly exposed violating their customers privacy.

If you see any problems with my site (I'm pretty sure I have it all correct), please let me know!

Team Fortress 2 - Meet the Pyro

So I've been waiting for this video for a long, long time as rumour was it was going to be fantastic. You know what? Fantastic doesn't describe it.

When I first saw this video, I couldn't stop myself from laughing. In fact, I haven't laughed at anything so hard in a long, long time.

Well done Valve. Well done.

Xen privilege escalation vulnerability on Intel CPU - CVE-2012-0217

I've just built and rolled out packages that have been patched against this.

If you are running Xen on a 64 bit machine, please make sure you update to 4.1.2-8 ASAP.

From the Xen-Announce post:

ISSUE DESCRIPTION =================

Rafal Wojtczuk has discovered a vulnerability which can allow a 64-bit PV guest kernel running on a 64-bit hypervisor to escalate privileges to that of the host by arranging for a system call to return via sysret to a non-canonical RIP. Intel CPUs deliver the resulting exception in an undesirable processor state.


Guest administrators can gain control of the host.

Depending on the particular guest kernel it is also possible that non-privileged guest user processes can also elevate their privileges to that of the host.

I've also patched for CVE-2012-2934 - although this probably won't hit anyone...

Telstra prepaid mobile broadband

Its strange, I always thought that companies had their fingers on the pulse when it comes to internet connections. How surprised I was to find out recently how far off the ball Telstra is in some of their pricing.

I'm currently in Tasmania - which Telstra has a big advantage over the Optus network in coverage. To the point where I've only had odd spots of coverage with my Virgin Mobile device over the last two weeks. I went to the local Post Office and purchased one of the Telstra $99 Prepaid Mobile Broadband devices that came with a bundled 5Gb of data.

It does the job well - its quite snappy and 5Gb is more than enough for the couple of weeks we're over here. The shock I did get is when I looked at the pricings for recharging the device. It seems Telstra class these devices in a world of their own - most of the time it is over 4 times more expensive to top up a mobile broadband plan than a similar iPad plan.

Do what do they offer? Look at this:

Mobile Broadband
1GB (30 days)
250MB (21 days)
3GB (30 days)
700MB (30 days)
1GB (30 days)
3GB (30 days)
6GB (30 days)
9GB (30 days)
4GB (60 days)
12GB (30 days)
6GB (90 days)
12GB (365 days)
12GB (365 days)

Yes, you saw it right. $30 will get you 3Gb of data on an iPad plan, but a tiny 700Mb on a mobile broadband device. To add insult to injury, it doesn't seem like Telstra have reviewed their pricing for well over a year.

Interestingly, it seems most of Telstra's competition are offering mobile broadband plans on almost the same rates as the Telstra iPad plans. I wonder why Telstra do not merge their MBB and iPad plans? Do they really get that much of a kickback from Apple to make these extreme differences in pricing feasible?