Tag Archives: blue lion

Join Us at Warpstock 2022 in Orlando

Warpstock 2022 will be live once again, November 4-6 at the Country Inn & Suites, Orlando Airport. Arca Noae staff and developers will be there with the latest ArcaOS news and how-to sessions, as well as a host of other OS/2 experts ready and willing to share their knowledge and expertise.

Register before August 1 and receive a $30 Early Bird discount on a full conference registration or $20 on a daily conference registration! Spouses/family members/guests/office mates attending sessions also receive great discounts, and non-attending guests are FREE. Students with valid student ID are welcome to attend sessions at no charge, with full benefits! (This is a great opportunity for Computer Science majors and aspiring young developers and engineers to gain some exposure to a platform which is still in use in the manufacturing, finance, and insurance sectors around the globe today.)

Major topics of discussion this year will center around ArcaOS 5.1 and new disk and installation options. As always, we welcome questions and feedback from both new and experienced users.

GPT usability in ArcaOS 5.1.0

In our last post we discussed that the upcoming ArcaOS 5.1.0 release will be able to make use of laptops and desktops that only support booting in so-called UEFI mode.

When booting ArcaOS in UEFI mode, the disk partitioning scheme may use the traditional Master Boot Record (MBR) or the newer GUID Partition Table (GPT). Although MBR has been extended to support disks up to 2TB, with ever-growing disk sizes, this may be too limiting for devices which could otherwise support handling more data than this. Also, if installing to a disk which is already configured using GPT, releases of ArcaOS prior to 5.1.0 require a full wipe and repartition of the disk. This inconvenience should no longer be an issue in ArcaOS 5.1.

Thus, ArcaOS 5.1.0 will be able to utilize GPT disk layouts with the following benefits:

  • Support for hard disks and solid state drives larger than 2TB attached to AHCI or NVMe storage controllers.
  • On systems equipped with a single drive and Windows pre-installed using a GPT layout, there should be no need to wipe and repartition, as long as there is room for ArcaOS to create at least one partition for itself.
  • GPT eliminates many of the LVM issues you may have encountered in the past when preparing a disk to install ArcaOS next to other operating systems, such as Linux and Windows because ArcaOS will use the same LBA partition alignment method (for GPT disk layouts) as these other operating systems.

GPT usage has been integrated into the ArcaOS installation partitioning tool (Logical Volume Manager), giving you a seamless experience while installing and maintaining ArcaOS.

Of course, ArcaOS 5.1.0. will continue to support your existing hard disks that have been partitioned using an MBR disk layout, too. In fact, a mix of GPT and MBR disks is also possible, and you will also be able to install ArcaOS in a UEFI environment on an MBR disk (GPT is completely optional, and never a requirement).

It is also important to remember that while ArcaOS 5.1.0 will support hard disks and SSDs larger than 2TB, OS/2 filesystems are currently limited to 2TB per partition. Thus, in order to fully utilize, say, a 12TB device for ArcaOS, you would need to partition this into multiple volumes, each no more than 2TB in size. (Also, for volumes in excess of 64GB, you must select JFS as the filesystem.)

Apache Log4j vulnerability (CVE-2021-44228)

On Thursday, December 9, 2021, the Apache Log4j project disclosed a critical security vulnerability which may result in remote code execution on systems running Log4j. The exploit has been aptly named Log4Shell (CVE-2021-44228).

Log4j is a logging component which runs under Java on many different platforms, and is useful not only for Java applications, but for other programs, as well. It is commonly bundled with unrelated software, simply as a means of providing a standard logging engine.

Arca Noae has completed a scan of our internal systems and has determined that we are not affected by this vulnerability. Further, ArcaOS has never included any Log4j components, and is also unaffected. However, because the exploitable feature in Log4j has existed for some time, it is possible that Java and other applications may have been installed under ArcaOS which utilize Log4j, and these systems may be at risk.

The feature used for the Log4Shell exploit is in the JNDI (Java Naming and Directory Interface) lookup class which was added to Log4j several years ago during the 2.0 beta cycle. Log4j versions through 2.3 required only Java versions up to 1.6, and so may be utilized by some OS/2-compatible applications.

Risk assessment

To determine whether any of your OS/2 systems may be at risk, start by searching all accessible volumes for log4j-*.jar. If any are found, determine the version of Log4j by examining the content of META-INF/MANIFEST.MF in the core jar file:

[c:\] unzip -c log4j-core.jar META-INF/MANIFEST.MF | less

Note the Implementation-Version line content.

Edge servers as well as firewalled systems running various applications may be at risk, as queries may be submitted to the Log4j engine from other applications and potentially from outside the network.

Mitigation

Although the exploit has been addressed in Log4j 2.16.0, because versions above 2.3 are not currently compatible with OS/2’s available Java Runtime Engine, it is necessary to mitigate the condition by removing the JndiLookup class from the classpath, e.g.:

[c:\] zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Additional information

Older (pre-2.0-beta9) versions of Log4j lack this lookup class, and do not appear to be at risk for Log4Shell (though some earlier security advisories may have been issued). Further research may be needed based upon the version(s) of Log4j which may be in use on these earlier systems. Also, this is not the only security advisory for Log4j 2.0-beta9 – 2.3. This notification is only related to CVE-2021-44228.

Links

https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://nakedsecurity.sophos.com/2021/12/10/log4shell-java-vulnerability-how-to-safeguard-your-servers/
https://www.kb.cert.org/vuls/id/930724

ArcaOS

ArcaOS 5.0.7 now available

In our continuing commitment to ArcaOS 5.0 (Blue Lion), Arca Noae is pleased to announce the general availability of ArcaOS 5.0.7, the seventh maintenance release of the 5.0 line.

ArcaOS 5.0.7 includes refreshed driver content, updated kernel and included software, as well as installation boot fixes since 5.0.6 was released in 2020. If you have experienced difficulty installing previous releases of ArcaOS on your hardware, 5.0.7 may address your issue(s). If installing from USB stick, the image may be created using any major operating system at hand (Windows, Linux, MacOS, and of course, OS/2, eComStation, and ArcaOS). Once built, the USB stick can be inserted into any USB port in the target system to boot into the ArcaOS installer/updater.

For a complete list of updates in this release, see the ArcaOS wiki. Be sure to review the README.TXT, as well, as this contains critical information to ensure that you get up and running fast, and includes tips for getting things adjusted right away.

This update is included with your valid ArcaOS 5.0 Support & Maintenance subscription at no additional charge. To download your fresh ISO, simply visit your customer portal page, select the Orders & Subscriptions link on the navigation panel to the left, then click on the order for your ArcaOS 5.0 license. Once there, click the download link to request a fresh ISO, and wait for your notification email.

If your ArcaOS 5.0 Support & Maintenance subscription has already expired, and you missed your window of opportunity to renew at regular rates, you may still renew at less than the cost of a new ArcaOS license.

Adding Let’s Encrypt’s new root and intermediate certificates to Mozilla applications

On September 30, 2021, Let’s Encrypt’s DST Root CA X3 cross-sign expired, leaving many web browsers to report that sites using Let’s Encrypt SSL certificates were “untrusted” or “unknown.”

Let’s Encrypt did, in fact, implement a new root and intermediate certificates some time ago, but after the built-in certificate stores in the Mozilla applications shipped with all versions of ArcaOS 5.0 to date (5.0 through 5.0.6) were configured. Thus, these new certificates were not included in those builds, and as a result, the new root certificate is indeed unknown.

The fix is relatively simple, and a rather common procedure for all browsers and email clients. To bring your Firefox, Thunderbird, and SeaMonkey certificate stores up to date, and learn how to do this for other new certificates as they become available, we’ve added a new wiki page, here.

Edited to add links to further information (off-site):

Let’s Encrypt – Chain of Trust
Let’s Encrypt – DST Root CA X3 Expiration (September 2021)

Warpstock 2021 Online

Tune in to Warpstock 2021 Online

Warpstock 2021 will happen online at 12:00pm EDT (16:00 UTC) this  Saturday, September 18.

Sessions will be a mix of live and prerecorded presentations, in 45-50-minute slots, scheduled to start on the hour.

David Azarewicz, Lewis Rosenthal, and Alex Taylor will be among those presenting this year on a variety of topics of interest concerning ArcaOS 5.0 and 5.1, device drivers, UEFI, GPT, and more.

Questions may be posed via YouTube Chat as well as IRC during the event.

The WarpEvents YouTube channel is the place to watch the event stream.

The URL for the #warpstock IRC channel is: ircs://irc.libera.chat:6697/warpstock (TLS encrypted),
or irc://irc.libera.chat/warpstock (plain text), or https://web.libera.chat/  (web interface, type #warpstock into Channel field).

The conference is entirely free this year, and no registration is necessary.

Warpstock Europe 2021

Join us for Warpstock Europe 2021 Online

Warpstock Europe 2021 will begin online at 14:00 UTC this coming Saturday, June 5. (For quick reference, that’s 10am EDT/7am PDT in the US and Canada, and 16:00 CET.)

Sessions will be a mix of live and prerecorded presentations, with the presenters available to answer questions in realtime, submitted during the event via IRC. See the Warpstock Europe website for details.

The Warpstock Europe YouTube channel is the place to watch the event stream. This channel should be viewable with any ArcaOS release, using Firefox or SeaMonkey, or any other device or OS you might want to use.

IRC Channel on Freenode: #WSE2021.

The conference is entirely free this year, and no registration is necessary.

Both Lewis Rosenthal and Alex Taylor will be among those presenting this year.

ArcaOS 5.0.6 updates for 2020-11-14

Dynamic IconsTwo packages included in ArcaOS 5.0.6 have been updated, and are now available as part of the Support & Maintenance subscription for your ArcaOS product. Please log into your account and see your ArcaOS order details page to access your software. Specifically, these are:

  • Archive Tool 1.04.0 (updated from 1.03.03)
  • DVD Tools 1.08.0 (updated from 1.07.01)

These packages include minor fixes and enhancements over their previous versions, and while recommended, are not considered critical updates. Each package displays a changelog during installation to make it easy to see what’s new.

These are eCo Software applications which utilize the eCo Software Runtime libraries. Updating these runtime packages is recommended for the best user experience. (These packages have been updated since the release of ArcaOS 5.0.6.)

More updates are on the way to the Support & Maintenance subscription channel as we continue our work on the next release of ArcaOS. Watch for more announcements right here.

If you are still running OS/2 and/or eComStation systems and haven’t yet moved up to ArcaOS, this is a great reason to do so now. If you’ve already made the switch, but haven’t renewed renewed your support subscription, this is also a good time. Not sure what’s coming next? Have a look at our product roadmap pages.

Warpstock 2020 Online

Tune in to Warpstock 2020 Online

Warpstock 2020 will happen online at 9:00am EST (14:00 UTC) this  Saturday, November 7, for those in North America and western Europe, and sessions will repeat in a second block beginning at 8:00pm EST (01:00 UTC, Sunday, November 8) for those in the Asia/Pacific region and eastern Europe. Each block should only be 3-4 hours in length.

Sessions will be a mix of live and prerecorded presentations, with the presenters available to answer questions in realtime, submitted during the event via IRC or YouTube chat.

The WarpEvents YouTube channel is the place to watch the event stream. This channel should be viewable with any ArcaOS release, using Firefox or SeaMonkey, or any other device or OS you might want to use.

IRC Channel: irc://freenode/warpstock

The conference is entirely free this year, and no registration is necessary.

Both David Azarewicz and Lewis Rosenthal will be among those presenting this year.