Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Debian kernels not getting patched for CVE-2016-8655?
- stevepusser
- Posts: 12930
- Joined: 2009-10-06 05:53
- Has thanked: 41 times
- Been thanked: 72 times
Debian kernels not getting patched for CVE-2016-8655?
https://security-tracker.debian.org/tra ... -2016-8655
Ubuntu pushed their fix out on Dec. 1, for Pete's sake. Does anyone know how to find out what the holdup is? I'm getting ready to adapt the patch to the 3.16 kernel myself and rebuild it if it takes any longer!
Ubuntu pushed their fix out on Dec. 1, for Pete's sake. Does anyone know how to find out what the holdup is? I'm getting ready to adapt the patch to the 3.16 kernel myself and rebuild it if it takes any longer!
MX Linux packager and developer
Re: Debian kernels not getting patched for CVE-2016-8655?
I guess because:
"Non-privileged user namespaces disabled by default, only vulnerable with sysctl kernel.unprivileged_userns_clone=1"
still, it should be patched (someday).
"Non-privileged user namespaces disabled by default, only vulnerable with sysctl kernel.unprivileged_userns_clone=1"
still, it should be patched (someday).
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Debian kernels not getting patched for CVE-2016-8655?
@reinob: the Debian kernels have user namespaces enabled and thus are vulnerable:
@stevepusser: this vulnerability only affects those running unprivileged containers, AFAICT.
Code: Select all
empty@jessie:~$ grep USER_NS /boot/config-4.7.0-0.bpo.1-amd64
CONFIG_USER_NS=y
deadbang
- stevepusser
- Posts: 12930
- Joined: 2009-10-06 05:53
- Has thanked: 41 times
- Been thanked: 72 times
Re: Debian kernels not getting patched for CVE-2016-8655?
Thanks--do you think that includes Flatpaks?Head_on_a_Stick wrote:@reinob: the Debian kernels have user namespaces enabled and thus are vulnerable:@stevepusser: this vulnerability only affects those running unprivileged containers, AFAICT.Code: Select all
empty@jessie:~$ grep USER_NS /boot/config-4.7.0-0.bpo.1-amd64 CONFIG_USER_NS=y
MX Linux packager and developer
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Debian kernels not getting patched for CVE-2016-8655?
I don't think so, Flatpaks work fine in Arch and that has always had CONFIG_USER_NS unset.stevepusser wrote:do you think that includes Flatpaks?
https://bugs.archlinux.org/task/36969
deadbang
- gradinaruvasile
- Posts: 935
- Joined: 2010-01-31 22:03
- Location: Cluj, Romania
- Contact:
Re: Debian kernels not getting patched for CVE-2016-8655?
From the link you posted:
Which is the default it should not be a problem.
On Ubuntu (16.04.1 LTS) though you have:
So if you have:Non-privileged user namespaces disabled by default, only vulnerable with sysctl kernel.unprivileged_userns_clone=1
Code: Select all
$ sysctl kernel.unprivileged_userns_clone
kernel.unprivileged_userns_clone = 0
On Ubuntu (16.04.1 LTS) though you have:
Code: Select all
# sysctl kernel.unprivileged_userns_clone
kernel.unprivileged_userns_clone = 1
Re: Debian kernels not getting patched for CVE-2016-8655?
Thanks for clarifying what I tried to say above! :)gradinaruvasile wrote:From the link you posted:So if you have:Non-privileged user namespaces disabled by default, only vulnerable with sysctl kernel.unprivileged_userns_clone=1Which is the default it should not be a problem.Code: Select all
$ sysctl kernel.unprivileged_userns_clone kernel.unprivileged_userns_clone = 0
On Ubuntu (16.04.1 LTS) though you have:Code: Select all
# sysctl kernel.unprivileged_userns_clone kernel.unprivileged_userns_clone = 1
Re: Debian kernels not getting patched for CVE-2016-8655?
I have unprivileged containers on Debian Jessie, with lxc from backports...
My virtual server provider (kvm) wants additional money, if I want to use kvm instead of the containers.
Is there any hope, that this will get fixed on Jessie?
My virtual server provider (kvm) wants additional money, if I want to use kvm instead of the containers.
Is there any hope, that this will get fixed on Jessie?
- gradinaruvasile
- Posts: 935
- Joined: 2010-01-31 22:03
- Location: Cluj, Romania
- Contact:
Re: Debian kernels not getting patched for CVE-2016-8655?
ATM Jessie-backports has the 4.8.11 kernel. Next probably will be 4.8.15 which has the fix (4.8.15 is in Unstable right now).jm009 wrote:Is there any hope, that this will get fixed on Jessie?
Re: Debian kernels not getting patched for CVE-2016-8655?
Thank you, I think I understand the idea now...
I wait for 4.8.11 being fixed, or 4.8.15 beeing included in stretch (=testing) what will probably/hopefully happen...
Then I do
(ATM = "at the moment"... I didn't decode this at the first look )
I wait for 4.8.11 being fixed, or 4.8.15 beeing included in stretch (=testing) what will probably/hopefully happen...
Then I do
Code: Select all
apt-get -t jessie-backports install linux-image-amd64 linux-image-4.8.0-0.bpo.2-amd64
Re: Debian kernels not getting patched for CVE-2016-8655?
In looking at this https://security-tracker.debian.org/tra ... kage/linux
I see that the default Jessie kernel has much more unfixed vulnerabilities.
So today I wanted to test, if my server will run with a newer kernel from backports.
When I select linux-image-4.8.0-0.bpo.2-amd64 in aptitude, it says:
-----
Some dependencies of linux-image-4.8.0-0.bpo.2-amd64 are not satisfied:
* linux-image-4.8.0-0.bpo.2-amd64 depends on linux-base (<=4.3~)
-----
Can I install this kernel anyway, and will it work?
I see that the default Jessie kernel has much more unfixed vulnerabilities.
So today I wanted to test, if my server will run with a newer kernel from backports.
When I select linux-image-4.8.0-0.bpo.2-amd64 in aptitude, it says:
-----
Some dependencies of linux-image-4.8.0-0.bpo.2-amd64 are not satisfied:
* linux-image-4.8.0-0.bpo.2-amd64 depends on linux-base (<=4.3~)
-----
Can I install this kernel anyway, and will it work?
Re: Debian kernels not getting patched for CVE-2016-8655?
Ah, I found linux-base 4.3~bpo8+1
At the moment my server is rebooting...
Seems to work.
Puh
At the moment my server is rebooting...
Seems to work.
Puh
Re: Debian kernels not getting patched for CVE-2016-8655?
you are kind of hijacking this thread and you should make your own thread about your support request in the appropriate section (this is not it).
And FWIW, given that Jessie kernel was release years ago, it is not surprising that more security problems have been reported for it than for newer kernels. Also if you are running an important server, remember that backported packages are not maintained by the security team.
And FWIW, given that Jessie kernel was release years ago, it is not surprising that more security problems have been reported for it than for newer kernels. Also if you are running an important server, remember that backported packages are not maintained by the security team.