Re: stable-security kernel updates

On Tue, Apr 26, 2016 at 01:14:13AM +0200, Ben Hutchings wrote: > On Thu, 2016-04-21 at 16:33 +0200, Willy Tarreau wrote: > > On Thu, Apr 21, 2016 at 10:27:46AM -0400, Sasha Levin wrote: > > > > > > This means that missing CVE fixes are quite common with stable > > > trees? > > Until someone

Re: stable-security kernel updates

On Tue, Apr 26, 2016 at 01:14:13AM +0200, Ben Hutchings wrote: > On Thu, 2016-04-21 at 16:33 +0200, Willy Tarreau wrote: > > On Thu, Apr 21, 2016 at 10:27:46AM -0400, Sasha Levin wrote: > > > > > > This means that missing CVE fixes are quite common with stable > > > trees? > > Until someone

Re: stable-security kernel updates

On Thu, 2016-04-21 at 16:33 +0200, Willy Tarreau wrote: > On Thu, Apr 21, 2016 at 10:27:46AM -0400, Sasha Levin wrote: > > > > This means that missing CVE fixes are quite common with stable > > trees? > Until someone reports they are missing :-) Or they are unfixed upstream (there are a good few

Re: stable-security kernel updates

On Thu, 2016-04-21 at 16:33 +0200, Willy Tarreau wrote: > On Thu, Apr 21, 2016 at 10:27:46AM -0400, Sasha Levin wrote: > > > > This means that missing CVE fixes are quite common with stable > > trees? > Until someone reports they are missing :-) Or they are unfixed upstream (there are a good few

Re: stable-security kernel updates

On 04/21/2016 10:54 AM, Jiri Slaby wrote: > On 04/21/2016, 03:53 PM, Sasha Levin wrote: >> I'm not trying to replace the stable trees, I'm trying to help users who >> don't >> update the stable tree that often to at least receive critical fixes in >> between >> those updates. > > And that's the

Re: stable-security kernel updates

On 04/21/2016 10:54 AM, Jiri Slaby wrote: > On 04/21/2016, 03:53 PM, Sasha Levin wrote: >> I'm not trying to replace the stable trees, I'm trying to help users who >> don't >> update the stable tree that often to at least receive critical fixes in >> between >> those updates. > > And that's the

Re: stable-security kernel updates

[Sorry I'm cutting out lots of stuff here, I just want to understand the point below first] On 04/21/2016 10:54 AM, Jiri Slaby wrote: > On 04/21/2016, 03:53 PM, Sasha Levin wrote: >>> Pardom my ignorance, how can you actually be sure? >> >> I'm not, same way you can't be sure about your stable

Re: stable-security kernel updates

[Sorry I'm cutting out lots of stuff here, I just want to understand the point below first] On 04/21/2016 10:54 AM, Jiri Slaby wrote: > On 04/21/2016, 03:53 PM, Sasha Levin wrote: >>> Pardom my ignorance, how can you actually be sure? >> >> I'm not, same way you can't be sure about your stable

Re: stable-security kernel updates

On 04/21/2016, 03:53 PM, Sasha Levin wrote: >> Pardom my ignorance, how can you actually be sure? > > I'm not, same way you can't be sure about your stable patch selection either. I repeat I am not doing any selection. Patches are not included iff they do not apply and I am not confident enough

Re: stable-security kernel updates

On 04/21/2016, 03:53 PM, Sasha Levin wrote: >> Pardom my ignorance, how can you actually be sure? > > I'm not, same way you can't be sure about your stable patch selection either. I repeat I am not doing any selection. Patches are not included iff they do not apply and I am not confident enough

Re: stable-security kernel updates

On Thu, Apr 21, 2016 at 10:27:46AM -0400, Sasha Levin wrote: > This means that missing CVE fixes are quite common with stable trees? Until someone reports they are missing :-) Willy

Re: stable-security kernel updates

On Thu, Apr 21, 2016 at 10:27:46AM -0400, Sasha Levin wrote: > This means that missing CVE fixes are quite common with stable trees? Until someone reports they are missing :-) Willy

Re: stable-security kernel updates

On 04/21/2016 10:13 AM, Jiri Slaby wrote: > On 04/21/2016, 03:54 PM, Sasha Levin wrote: >> On 04/21/2016 08:39 AM, Greg KH wrote: >>> On Thu, Apr 21, 2016 at 02:05:41PM +0200, Jiri Slaby wrote: > On 04/21/2016, 01:59 PM, Jiri Slaby wrote: > (CVE-2016-2085) 613317b EVM: Use

Re: stable-security kernel updates

On 04/21/2016 10:13 AM, Jiri Slaby wrote: > On 04/21/2016, 03:54 PM, Sasha Levin wrote: >> On 04/21/2016 08:39 AM, Greg KH wrote: >>> On Thu, Apr 21, 2016 at 02:05:41PM +0200, Jiri Slaby wrote: > On 04/21/2016, 01:59 PM, Jiri Slaby wrote: > (CVE-2016-2085) 613317b EVM: Use

Re: stable-security kernel updates

On Thu, Apr 21, 2016 at 04:13:07PM +0200, Jiri Slaby wrote: > On 04/21/2016, 03:54 PM, Sasha Levin wrote: > > On 04/21/2016 08:39 AM, Greg KH wrote: > >> On Thu, Apr 21, 2016 at 02:05:41PM +0200, Jiri Slaby wrote: > On 04/21/2016, 01:59 PM, Jiri Slaby wrote: > (CVE-2016-2085) 613317b

Re: stable-security kernel updates

On Thu, Apr 21, 2016 at 04:13:07PM +0200, Jiri Slaby wrote: > On 04/21/2016, 03:54 PM, Sasha Levin wrote: > > On 04/21/2016 08:39 AM, Greg KH wrote: > >> On Thu, Apr 21, 2016 at 02:05:41PM +0200, Jiri Slaby wrote: > On 04/21/2016, 01:59 PM, Jiri Slaby wrote: > (CVE-2016-2085) 613317b

Re: stable-security kernel updates

On 04/21/2016 08:56 AM, Willy Tarreau wrote: > On Wed, Apr 20, 2016 at 03:50:34PM -0400, Sasha Levin wrote: >> Hi all, >> >> Updates for stable-security kernels have been released: >> >> - v3.12.58-security >> - v3.14.67-security >> - v3.18.31-security >> - v4.1.22-security >>

Re: stable-security kernel updates

On 04/21/2016 08:56 AM, Willy Tarreau wrote: > On Wed, Apr 20, 2016 at 03:50:34PM -0400, Sasha Levin wrote: >> Hi all, >> >> Updates for stable-security kernels have been released: >> >> - v3.12.58-security >> - v3.14.67-security >> - v3.18.31-security >> - v4.1.22-security >>

Re: stable-security kernel updates

On 04/21/2016, 03:54 PM, Sasha Levin wrote: > On 04/21/2016 08:39 AM, Greg KH wrote: >> On Thu, Apr 21, 2016 at 02:05:41PM +0200, Jiri Slaby wrote: On 04/21/2016, 01:59 PM, Jiri Slaby wrote: (CVE-2016-2085) 613317b EVM: Use crypto_memneq() for digest comparisons >> >> Does

Re: stable-security kernel updates

On 04/21/2016, 03:54 PM, Sasha Levin wrote: > On 04/21/2016 08:39 AM, Greg KH wrote: >> On Thu, Apr 21, 2016 at 02:05:41PM +0200, Jiri Slaby wrote: On 04/21/2016, 01:59 PM, Jiri Slaby wrote: (CVE-2016-2085) 613317b EVM: Use crypto_memneq() for digest comparisons >> >> Does

Re: stable-security kernel updates

On Thu, Apr 21, 2016 at 10:01:29AM -0400, Sasha Levin wrote: > > What are you "stop-gapping" then? The 7-10 days between stable > > releases? > > In a perfect world where everyone has a team of kernel hackers on hand > reviewing stable commits, verifying the resulting kernel doesn't regress >

Re: stable-security kernel updates

On Thu, Apr 21, 2016 at 10:01:29AM -0400, Sasha Levin wrote: > > What are you "stop-gapping" then? The 7-10 days between stable > > releases? > > In a perfect world where everyone has a team of kernel hackers on hand > reviewing stable commits, verifying the resulting kernel doesn't regress >

Re: stable-security kernel updates

On 04/21/2016 08:36 AM, Greg KH wrote: > On Thu, Apr 21, 2016 at 07:27:39AM -0400, Sasha Levin wrote: >> Hey Willy, >> >> On 04/21/2016 03:11 AM, Willy Tarreau wrote: >>> This illustrates exactly what I suspected would happen because that's the >>> same trouble we all face when picking backports

Re: stable-security kernel updates

On 04/21/2016 08:36 AM, Greg KH wrote: > On Thu, Apr 21, 2016 at 07:27:39AM -0400, Sasha Levin wrote: >> Hey Willy, >> >> On 04/21/2016 03:11 AM, Willy Tarreau wrote: >>> This illustrates exactly what I suspected would happen because that's the >>> same trouble we all face when picking backports

Re: stable-security kernel updates

On 04/21/2016 08:39 AM, Greg KH wrote: > On Thu, Apr 21, 2016 at 02:05:41PM +0200, Jiri Slaby wrote: >> > On 04/21/2016, 01:59 PM, Jiri Slaby wrote: > >> (CVE-2016-2085) 613317b EVM: Use crypto_memneq() for digest > >> comparisons >>> > > >>> > > Does not exist in the CVE database/is

Re: stable-security kernel updates

On 04/21/2016 08:39 AM, Greg KH wrote: > On Thu, Apr 21, 2016 at 02:05:41PM +0200, Jiri Slaby wrote: >> > On 04/21/2016, 01:59 PM, Jiri Slaby wrote: > >> (CVE-2016-2085) 613317b EVM: Use crypto_memneq() for digest > >> comparisons >>> > > >>> > > Does not exist in the CVE database/is

Re: stable-security kernel updates

On 04/21/2016 07:59 AM, Jiri Slaby wrote: > On 04/21/2016, 01:11 PM, Sasha Levin wrote: >>> Ok, not that bad, it is only unused code, but why are *not* these in the >>> security tree? >>> ipr: Fix out-of-bounds null overwrite >> >> Is there a particular way to exploit this that I'm missing? > >

Re: stable-security kernel updates

On 04/21/2016 07:59 AM, Jiri Slaby wrote: > On 04/21/2016, 01:11 PM, Sasha Levin wrote: >>> Ok, not that bad, it is only unused code, but why are *not* these in the >>> security tree? >>> ipr: Fix out-of-bounds null overwrite >> >> Is there a particular way to exploit this that I'm missing? > >

Re: stable-security kernel updates

On Wed, Apr 20, 2016 at 03:50:34PM -0400, Sasha Levin wrote: > Hi all, > > Updates for stable-security kernels have been released: > > - v3.12.58-security > - v3.14.67-security > - v3.18.31-security > - v4.1.22-security > - v4.4.8-security > - v4.5.2-security

Re: stable-security kernel updates

On Wed, Apr 20, 2016 at 03:50:34PM -0400, Sasha Levin wrote: > Hi all, > > Updates for stable-security kernels have been released: > > - v3.12.58-security > - v3.14.67-security > - v3.18.31-security > - v4.1.22-security > - v4.4.8-security > - v4.5.2-security

Re: stable-security kernel updates

On Thu, Apr 21, 2016 at 09:39:18PM +0900, Greg KH wrote: > On Thu, Apr 21, 2016 at 02:05:41PM +0200, Jiri Slaby wrote: > > On 04/21/2016, 01:59 PM, Jiri Slaby wrote: > > >> (CVE-2016-2085) 613317b EVM: Use crypto_memneq() for digest comparisons > > > > > > Does not exist in the CVE database/is

Re: stable-security kernel updates

On Thu, Apr 21, 2016 at 09:39:18PM +0900, Greg KH wrote: > On Thu, Apr 21, 2016 at 02:05:41PM +0200, Jiri Slaby wrote: > > On 04/21/2016, 01:59 PM, Jiri Slaby wrote: > > >> (CVE-2016-2085) 613317b EVM: Use crypto_memneq() for digest comparisons > > > > > > Does not exist in the CVE database/is

Re: stable-security kernel updates

On Thu, Apr 21, 2016 at 02:05:41PM +0200, Jiri Slaby wrote: > On 04/21/2016, 01:59 PM, Jiri Slaby wrote: > >> (CVE-2016-2085) 613317b EVM: Use crypto_memneq() for digest comparisons > > > > Does not exist in the CVE database/is not confirmed yet AFAICS. > > And now I am looking at the patch and

Re: stable-security kernel updates

On Thu, Apr 21, 2016 at 02:05:41PM +0200, Jiri Slaby wrote: > On 04/21/2016, 01:59 PM, Jiri Slaby wrote: > >> (CVE-2016-2085) 613317b EVM: Use crypto_memneq() for digest comparisons > > > > Does not exist in the CVE database/is not confirmed yet AFAICS. > > And now I am looking at the patch and

Re: stable-security kernel updates

On Thu, Apr 21, 2016 at 07:27:39AM -0400, Sasha Levin wrote: > Hey Willy, > > On 04/21/2016 03:11 AM, Willy Tarreau wrote: > > This illustrates exactly what I suspected would happen because that's the > > same trouble we all face when picking backports for our respective trees > > except that

Re: stable-security kernel updates

On Thu, Apr 21, 2016 at 07:27:39AM -0400, Sasha Levin wrote: > Hey Willy, > > On 04/21/2016 03:11 AM, Willy Tarreau wrote: > > This illustrates exactly what I suspected would happen because that's the > > same trouble we all face when picking backports for our respective trees > > except that

Re: stable-security kernel updates

Sasha Levin writes: > On 04/21/2016 02:43 AM, Jiri Slaby wrote: > >> Input: powermate - fix oops with malicious USB descriptors > > This requires physical access to the machine. You wish. Say you have some internal USB connected device with replacable firmware. LTE

Re: stable-security kernel updates

Sasha Levin writes: > On 04/21/2016 02:43 AM, Jiri Slaby wrote: > >> Input: powermate - fix oops with malicious USB descriptors > > This requires physical access to the machine. You wish. Say you have some internal USB connected device with replacable firmware. LTE modem, fingerprint reader,

Re: stable-security kernel updates

On 04/21/2016, 01:59 PM, Jiri Slaby wrote: >> (CVE-2016-2085) 613317b EVM: Use crypto_memneq() for digest comparisons > > Does not exist in the CVE database/is not confirmed yet AFAICS. And now I am looking at the patch and I remember why I threw it away. crypto_memneq is not in 3.12 yet and I

Re: stable-security kernel updates

On 04/21/2016, 01:59 PM, Jiri Slaby wrote: >> (CVE-2016-2085) 613317b EVM: Use crypto_memneq() for digest comparisons > > Does not exist in the CVE database/is not confirmed yet AFAICS. And now I am looking at the patch and I remember why I threw it away. crypto_memneq is not in 3.12 yet and I

Re: stable-security kernel updates

On 04/21/2016, 01:11 PM, Sasha Levin wrote: >> Ok, not that bad, it is only unused code, but why are *not* these in the >> security tree? >> ipr: Fix out-of-bounds null overwrite > > Is there a particular way to exploit this that I'm missing? Any (write > 100) to "/sys/.../fw_update" writes '0'

Re: stable-security kernel updates

On 04/21/2016, 01:11 PM, Sasha Levin wrote: >> Ok, not that bad, it is only unused code, but why are *not* these in the >> security tree? >> ipr: Fix out-of-bounds null overwrite > > Is there a particular way to exploit this that I'm missing? Any (write > 100) to "/sys/.../fw_update" writes '0'

Re: stable-security kernel updates

Hey Willy, On 04/21/2016 03:11 AM, Willy Tarreau wrote: > This illustrates exactly what I suspected would happen because that's the > same trouble we all face when picking backports for our respective trees > except that since the selection barrier is much higher here, lots of > important ones

Re: stable-security kernel updates

Hey Willy, On 04/21/2016 03:11 AM, Willy Tarreau wrote: > This illustrates exactly what I suspected would happen because that's the > same trouble we all face when picking backports for our respective trees > except that since the selection barrier is much higher here, lots of > important ones

Re: stable-security kernel updates

On 04/21/2016 02:43 AM, Jiri Slaby wrote: > On 04/20/2016, 09:50 PM, Sasha Levin wrote: >> Updates for stable-security kernels have been released: >> >> - v3.12.58-security > > I suggest nobody uses that kernel. > > That tree does not make much sense to me. For example, what's the > purpose

Re: stable-security kernel updates

On 04/21/2016 02:43 AM, Jiri Slaby wrote: > On 04/20/2016, 09:50 PM, Sasha Levin wrote: >> Updates for stable-security kernels have been released: >> >> - v3.12.58-security > > I suggest nobody uses that kernel. > > That tree does not make much sense to me. For example, what's the > purpose

Re: stable-security kernel updates

Hi Jiri, On Thu, Apr 21, 2016 at 08:43:55AM +0200, Jiri Slaby wrote: > On 04/20/2016, 09:50 PM, Sasha Levin wrote: > > Updates for stable-security kernels have been released: > > > > - v3.12.58-security > > I suggest nobody uses that kernel. > > That tree does not make much sense to me.

Re: stable-security kernel updates

Hi Jiri, On Thu, Apr 21, 2016 at 08:43:55AM +0200, Jiri Slaby wrote: > On 04/20/2016, 09:50 PM, Sasha Levin wrote: > > Updates for stable-security kernels have been released: > > > > - v3.12.58-security > > I suggest nobody uses that kernel. > > That tree does not make much sense to me.

Re: stable-security kernel updates

On 04/20/2016, 09:50 PM, Sasha Levin wrote: > Updates for stable-security kernels have been released: > > - v3.12.58-security I suggest nobody uses that kernel. That tree does not make much sense to me. For example, what's the purpose of "kernel: Provide READ_ONCE and ASSIGN_ONCE" (commit

Re: stable-security kernel updates

On 04/20/2016, 09:50 PM, Sasha Levin wrote: > Updates for stable-security kernels have been released: > > - v3.12.58-security I suggest nobody uses that kernel. That tree does not make much sense to me. For example, what's the purpose of "kernel: Provide READ_ONCE and ASSIGN_ONCE" (commit

stable-security kernel updates

Hi all, Updates for stable-security kernels have been released: - v3.12.58-security - v3.14.67-security - v3.18.31-security - v4.1.22-security - v4.4.8-security - v4.5.2-security They are available at:

stable-security kernel updates

Hi all, Updates for stable-security kernels have been released: - v3.12.58-security - v3.14.67-security - v3.18.31-security - v4.1.22-security - v4.4.8-security - v4.5.2-security They are available at: