Debian kernels not getting patched for CVE-2016-8655?

[stevepusser]

https://security-tracker.debian.org/tra ... -2016-8655

Ubuntu pushed their fix out on Dec. 1, for Pete's sake. Does anyone know how to find out what the holdup is? I'm getting ready to adapt the patch to the 3.16 kernel myself and rebuild it if it takes any longer!

[reinob]

I guess because:
"Non-privileged user namespaces disabled by default, only vulnerable with sysctl kernel.unprivileged_userns_clone=1"

still, it should be patched (someday).

[Head_on_a_Stick]

@reinob: the Debian kernels have user namespaces enabled and thus are vulnerable:

Code: Select all

empty@jessie:~$ grep USER_NS /boot/config-4.7.0-0.bpo.1-amd64 
CONFIG_USER_NS=y

@stevepusser: this vulnerability only affects those running unprivileged containers, AFAICT.

[stevepusser]

@reinob: the Debian kernels have user namespaces enabled and thus are vulnerable:

Code: Select all

empty@jessie:~$ grep USER_NS /boot/config-4.7.0-0.bpo.1-amd64 
CONFIG_USER_NS=y

@stevepusser: this vulnerability only affects those running unprivileged containers, AFAICT.

Thanks--do you think that includes Flatpaks?

[Head_on_a_Stick]

do you think that includes Flatpaks?

I don't think so, Flatpaks work fine in Arch and that has always had CONFIG_USER_NS unset.

https://bugs.archlinux.org/task/36969

[gradinaruvasile]

From the link you posted:

Non-privileged user namespaces disabled by default, only vulnerable with sysctl kernel.unprivileged_userns_clone=1

So if you have:

Code: Select all

$ sysctl kernel.unprivileged_userns_clone
kernel.unprivileged_userns_clone = 0

Which is the default it should not be a problem.

On Ubuntu (16.04.1 LTS) though you have:

Code: Select all

# sysctl kernel.unprivileged_userns_clone
kernel.unprivileged_userns_clone = 1

[reinob]

From the link you posted:

Non-privileged user namespaces disabled by default, only vulnerable with sysctl kernel.unprivileged_userns_clone=1

So if you have:

Code: Select all

$ sysctl kernel.unprivileged_userns_clone
kernel.unprivileged_userns_clone = 0

Which is the default it should not be a problem.

On Ubuntu (16.04.1 LTS) though you have:

Code: Select all

# sysctl kernel.unprivileged_userns_clone
kernel.unprivileged_userns_clone = 1

Thanks for clarifying what I tried to say above! :)

[jm009]

I have unprivileged containers on Debian Jessie, with lxc from backports...
My virtual server provider (kvm) wants additional money, if I want to use kvm instead of the containers.
Is there any hope, that this will get fixed on Jessie?

[gradinaruvasile]

Is there any hope, that this will get fixed on Jessie?

ATM Jessie-backports has the 4.8.11 kernel. Next probably will be 4.8.15 which has the fix (4.8.15 is in Unstable right now).

[jm009]

Thank you, I think I understand the idea now...
I wait for 4.8.11 being fixed, or 4.8.15 beeing included in stretch (=testing) what will probably/hopefully happen...
Then I do

Code: Select all

apt-get -t jessie-backports install linux-image-amd64 linux-image-4.8.0-0.bpo.2-amd64

(ATM = "at the moment"... I didn't decode this at the first look )

[jm009]

In looking at this https://security-tracker.debian.org/tra ... kage/linux
I see that the default Jessie kernel has much more unfixed vulnerabilities.

So today I wanted to test, if my server will run with a newer kernel from backports.
When I select linux-image-4.8.0-0.bpo.2-amd64 in aptitude, it says:

-----
Some dependencies of linux-image-4.8.0-0.bpo.2-amd64 are not satisfied:

* linux-image-4.8.0-0.bpo.2-amd64 depends on linux-base (<=4.3~)
-----

Can I install this kernel anyway, and will it work?

[jm009]

Ah, I found linux-base 4.3~bpo8+1

At the moment my server is rebooting...

Seems to work.
Puh

[pylkko]

you are kind of hijacking this thread and you should make your own thread about your support request in the appropriate section (this is not it).

And FWIW, given that Jessie kernel was release years ago, it is not surprising that more security problems have been reported for it than for newer kernels. Also if you are running an important server, remember that backported packages are not maintained by the security team.