Re: Fwd: [SECURITY] [DLA 3173-1] linux-5.10 security update
On Wed 02 Nov 2022 at 13:53:24 (-0400), Greg Wooledge wrote: > On Wed, Nov 02, 2022 at 12:45:57PM -0500, Nicholas Geovanis wrote: > > > > On 2022-11-02 03:40, Anssi Saari wrote: > > > >> Looks like a linux-5.10 source package was indeed added to Buster in > > > >> August and as you noted, it's getting security updates too. > > > I'm just curious if this is the first time that a kernel _version_ bump > > took place within the trajectory of a single Debian version? Or have kernel > > _version_ changes always taken place at debian release boundaries before? > > It's important to note that this is an optional, newer kernel image. > Users who've just been running buster from the beginning may not even > know about it, and it will have no effect on them. > > It's very much UNlike the version bumps on, say, samba that have happened > mid-stable-release in the past. > > I'm fairly certain other releases have had optional kernel packages > added to them, but I can't name any other than "etch-and-a-half" off > the top of my head. > > https://wiki.debian.org/EtchAndAHalf >From my notes, slink was 2.0.3n, but 2.2 was runnable, and I built a 2.2.10. It was kernel-image back then, presumably as there was no hurd. potato was 2.2.19, but it appears there were 2.4 ones around too. I'm not sure where the latter originated, but perhaps the name of one of the sources, kernel-source-2.4.9-0.bunk, might be a clue. sarge had 2.4.27 and 2.6.8 kernels, but the latter might not have been all archs. etch was all 2.6. AFAICT lenny was still 2.6 when I built my last kernel, 2.6.26lucy. While these are all version 2.x, AIUI everything changed after that. So the x in 2.x is really equivalent to the first digit nowadays, except of course that x had to increment by 2 each time. Cheers, David.
Re: Fwd: [SECURITY] [DLA 3173-1] linux-5.10 security update
On Wed, Nov 02, 2022 at 12:45:57PM -0500, Nicholas Geovanis wrote: > > > On 2022-11-02 03:40, Anssi Saari wrote: > > >> Looks like a linux-5.10 source package was indeed added to Buster in > > >> August and as you noted, it's getting security updates too. > I'm just curious if this is the first time that a kernel _version_ bump > took place within the trajectory of a single Debian version? Or have kernel > _version_ changes always taken place at debian release boundaries before? It's important to note that this is an optional, newer kernel image. Users who've just been running buster from the beginning may not even know about it, and it will have no effect on them. It's very much UNlike the version bumps on, say, samba that have happened mid-stable-release in the past. I'm fairly certain other releases have had optional kernel packages added to them, but I can't name any other than "etch-and-a-half" off the top of my head. https://wiki.debian.org/EtchAndAHalf
Re: Fwd: [SECURITY] [DLA 3173-1] linux-5.10 security update
On Wed, Nov 2, 2022, 9:35 AM Anssi Saari wrote: > John Boxall writes: > > > On 2022-11-02 03:40, Anssi Saari wrote: > >> Looks like a linux-5.10 source package was indeed added to Buster in > >> August and as you noted, it's getting security updates too. There's some > >> info on the what and when at https://tracker.debian.org/pkg/linux-5.10 > >> but I don't know the why. > >> > > > > Here is the information on the "why": > > > > https://www.debian.org/lts/security/2022/dla-3102 > > Interesting. I thought it might be that but then as backport users are > usually left out in the cold as far as security updates are concerned, I > thought it couldn't be. > I'm just curious if this is the first time that a kernel _version_ bump took place within the trajectory of a single Debian version? Or have kernel _version_ changes always taken place at debian release boundaries before? >
Re: Fwd: [SECURITY] [DLA 3173-1] linux-5.10 security update
John Boxall writes: > On 2022-11-02 03:40, Anssi Saari wrote: >> Looks like a linux-5.10 source package was indeed added to Buster in >> August and as you noted, it's getting security updates too. There's some >> info on the what and when at https://tracker.debian.org/pkg/linux-5.10 >> but I don't know the why. >> > > Here is the information on the "why": > > https://www.debian.org/lts/security/2022/dla-3102 Interesting. I thought it might be that but then as backport users are usually left out in the cold as far as security updates are concerned, I thought it couldn't be.
Re: Fwd: [SECURITY] [DLA 3173-1] linux-5.10 security update
On 2022-11-02 03:40, Anssi Saari wrote: Looks like a linux-5.10 source package was indeed added to Buster in August and as you noted, it's getting security updates too. There's some info on the what and when at https://tracker.debian.org/pkg/linux-5.10 but I don't know the why. Here is the information on the "why": https://www.debian.org/lts/security/2022/dla-3102 -- Regards, John Boxall
Re: [SECURITY] [DLA 3173-1] linux-5.10 security update
Anssi Saari composed on 2022-11-02 09:40 (UTC+0200): > John Boxall wrote: >> Did I miss something in the last three years? When did buster go to a >> 5.10 kernel? My buster system is still on kernel 4.19. > Looks like a linux-5.10 source package was indeed added to Buster in > August and as you noted, it's getting security updates too. There's some > info on the what and when at https://tracker.debian.org/pkg/linux-5.10 > but I don't know the why. > Maybe this is for Buster's LTS lifecycle and 4.19 is expected to go EOL > before Buster does? Just a guess. According to https://wiki.debian.org/DebianReleases Buster doesn't have an LTS. :p Projected EOL for 4.19 currently is 2024-12. https://www.kernel.org/category/releases.html -- Evolution as taught in public schools is, like religion, based on faith, not based on science. Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata
Re: Fwd: [SECURITY] [DLA 3173-1] linux-5.10 security update
John Boxall writes: > Did I miss something in the last three years? When did buster go to a > 5.10 kernel? My buster system is still on kernel 4.19. Looks like a linux-5.10 source package was indeed added to Buster in August and as you noted, it's getting security updates too. There's some info on the what and when at https://tracker.debian.org/pkg/linux-5.10 but I don't know the why. Maybe this is for Buster's LTS lifecycle and 4.19 is expected to go EOL before Buster does? Just a guess.
Fwd: [SECURITY] [DLA 3173-1] linux-5.10 security update
Did I miss something in the last three years? When did buster go to a 5.10 kernel? My buster system is still on kernel 4.19. Forwarded Message Subject: [SECURITY] [DLA 3173-1] linux-5.10 security update Resent-Date: Tue, 1 Nov 2022 20:58:06 + (UTC) Resent-From: debian-lts-annou...@lists.debian.org Date: Tue, 01 Nov 2022 21:57:30 +0100 From: Ben Hutchings Reply-To: debian-...@lists.debian.org Organization: Debian To: debian-lts-annou...@lists.debian.org - Debian LTS Advisory DLA-3173-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings November 1, 2022 https://wiki.debian.org/LTS - Package: linux-5.10 Version: 5.10.149-2~deb10u1 CVE ID : CVE-2021-4037 CVE-2022-0171 CVE-2022-1184 CVE-2022-1679 CVE-2022-2153 CVE-2022-2602 CVE-2022-2663 CVE-2022-2905 CVE-2022-3028 CVE-2022-3061 CVE-2022-3176 CVE-2022-3303 CVE-2022-3586 CVE-2022-3621 CVE-2022-3625 CVE-2022-3629 CVE-2022-3633 CVE-2022-3635 CVE-2022-3646 CVE-2022-3649 CVE-2022-20421 CVE-2022-20422 CVE-2022-39188 CVE-2022-39190 CVE-2022-39842 CVE-2022-40307 CVE-2022-41222 CVE-2022-41674 CVE-2022-42719 CVE-2022-42720 CVE-2022-42721 CVE-2022-42722 CVE-2022-43750 Debian Bug : 1017425 1019248 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2021-4037 Christian Brauner reported that the inode_init_owner function for the XFS filesystem in the Linux kernel allows local users to create files with an unintended group ownership allowing attackers to escalate privileges by making a plain file executable and SGID. CVE-2022-0171 Mingwei Zhang reported that a cache incoherence issue in the SEV API in the KVM subsystem may result in denial of service. CVE-2022-1184 A flaw was discovered in the ext4 filesystem driver which can lead to a use-after-free. A local user permitted to mount arbitrary filesystems could exploit this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2022-1679 The syzbot tool found a race condition in the ath9k_htc driver which can lead to a use-after-free. This might be exploitable to cause a denial service (crash or memory corruption) or possibly for privilege escalation. CVE-2022-2153 "kangel" reported a flaw in the KVM implementation for x86 processors which could lead to a null pointer dereference. A local user permitted to access /dev/kvm could exploit this to cause a denial of service (crash). CVE-2022-2602 A race between handling an io_uring request and the Unix socket garbage collector was discovered. An attacker can take advantage of this flaw for local privilege escalation. CVE-2022-2663 David Leadbeater reported flaws in the nf_conntrack_irc connection-tracking protocol module. When this module is enabled on a firewall, an external user on the same IRC network as an internal user could exploit its lax parsing to open arbitrary TCP ports in the firewall, to reveal their public IP address, or to block their IRC connection at the firewall. CVE-2022-2905 Hsin-Wei Hung reported a flaw in the eBPF verifier which can lead to an out-of-bounds read. If unprivileged use of eBPF is enabled, this could leak sensitive information. This was already disabled by default, which would fully mitigate the vulnerability. CVE-2022-3028 Abhishek Shah reported a race condition in the AF_KEY subsystem, which could lead to an out-of-bounds write or read. A local user could exploit this to cause a denial of service (crash or memory corruption), to obtain sensitive information, or possibly for privilege escalation. CVE-2022-3061 A flaw was discovered in the i740 driver which may result in denial of service. This driver is not enabled in Debian's official kernel configurations. CVE-2022-3176 A use-after-free flaw was discovered in the io_uring subsystem which may result in local privilege escalation to root. CVE-2022-3303 A race condition in the snd_pcm_oss_sync function in the sound subsystem in the Linux kernel due to improper locking may result in denial of service. CVE-2022-3586 (ZDI-22-1452) The Zero Day Initiative reported a flaw in the sch_sfb network scheduler, which may lead to a use-after-free and leak of sensitive information from the kernel. CVE-2022-3621, CVE-2022-3646 The syzbot tool found flaws in the nilfs2 filesystem driver which can
