Package: linux-image-amd64 Version: 4.8+77~bpo8+1 Severity: critical Tags: security Justification: root security hole
Hi, As of now two flavours of Linux kernels are released. The default ones are signed ones while other unsigned kernels are available. The problem is that there's a significant delay between the release of the two flavours, often more than one week, which exposes users of signed kernels to critical vulnerabilities addressed in the newer kernel releases. The only possible workaround is to switch on -unsigned linux kernels, but this is messy and clearly unwanted. I've raised an issue on BPO mailing list here : https://lists.debian.org /debian-backports/2017/01/msg00033.html (the issue also applies to testing and unstable). The answer is basically that : 1/ - unsigned kernels are only available for testing purposes 2/ - it is not possible to build simultaneously signed and unsigned kernels. I'm okay with the latter as long as there's only a couple of hours between the two kernel releases. Now if we must wait more than one week to get the signed image it clearly reveals there's an issue in the signed image build process which must be addressed before Stretch release. Otherwise a possibility would be to use by default -unsigned image and create an optional linux-image-amd64-signed metapackage like the one which exists for grsec. -- System Information: Debian Release: 8.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-0.bpo.2-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages linux-image-amd64 depends on: ii linux-image-4.8.0-0.bpo.2-amd64-unsigned [linux-image-4.8. 4.8.15-2~bpo8+1 linux-image-amd64 recommends no packages. linux-image-amd64 suggests no packages. -- no debconf information
