On 2026-04-30, Ludovic Courtès wrote: > Gary Johnson <[email protected]> skribis: > >> My apologies if I've missed announcements related to this, but have we >> updated our Linux kernel yet to patch against the recent Copy Fail exploit? >> >> https://copy.fail/ > > I was looking at it just now. There are more details in their post: > > https://xint.io/blog/copy-fail-linux-distributions > > But I only found the list of Linux versions that include a fix in this > post: > > https://seclists.org/oss-sec/2026/q2/281 > > From what I can see 6.19.12 and 6.18.22, which we currently ship, > include the fix.
We also, as of yesterday with commit d279f642d65c89374340d046c0a51ebcb59b387a, ship 6.19.14 and 6.18.25 :) > Other versions are likely vulnerable: > > --8<---------------cut here---------------start------------->8--- > $ guix package -A linux-libre$ > linux-libre 6.6.134 out gnu/packages/linux.scm:1014:2 > linux-libre 6.19.12 out gnu/packages/linux.scm:1014:2 > linux-libre 6.18.22 out gnu/packages/linux.scm:1014:2 > linux-libre 6.12.81 out gnu/packages/linux.scm:1014:2 > linux-libre 6.1.168 out gnu/packages/linux.scm:1014:2 > linux-libre 5.15.202 out gnu/packages/linux.scm:1014:2 > linux-libre 5.10.252 out gnu/packages/linux.scm:1014:2 I did not update 5.10.x yesterday (it failed to build), so the current versions are: linux-libre 5.10.252 out gnu/packages/linux.scm:1015:2 linux-libre 5.15.203 out gnu/packages/linux.scm:1015:2 linux-libre 6.1.169 out gnu/packages/linux.scm:1015:2 linux-libre 6.6.136 out gnu/packages/linux.scm:1015:2 linux-libre 6.12.84 out gnu/packages/linux.scm:1015:2 linux-libre 6.18.25 out gnu/packages/linux.scm:1015:2 linux-libre 6.19.14 out gnu/packages/linux.scm:1015:2 Other than 5.10.x, those were released on 2026-04-18 (5.x, 6.1.x?), 2026-04-22 (6.19.x), and 2026-04-27 (6.6.x, 6,12.x, 6.18.x) ... I really wonder if we should ship so many versions concurrently... when most users probably use the default version or default lts version (I am guessing, anyways)... rolling out updates for that many kernel versions at once takes a full calendar day or more to have substitutes available for all versions (and not even all architectures, bordeaux does not usually build until it lands on guix master branch; I have not seen CI build an aarch64-linux kernel in ages)... I think the vast majority of the time is applying and verifying the linux-libre patchsets to generate the cleaned source tarball; the actual kernel builds themselves do not take that long once they get started... most of the time, I have doubts about not just pulling the linux-libre tarballs directly rather than re-applying that process ourselves against the upstream linux tarballs... Although in situations like this, the infrastructure we have now allows us to attempt to move forward with fixes before linux-libre has had a chance to verify things... If the newer 5.10.x still fails to build (none of the commits look like they address the issue) help debugging the failure would be appreciated: https://codeberg.org/guix/guix/pulls/8032#issuecomment-13965350 https://ci.guix.gnu.org/build/21164235/log/raw live well, vagrant
signature.asc
Description: PGP signature
