On 04/14/2017 06:00 AM, Reg Tiangha wrote: > On 04/13/2017 09:33 PM, cooloutac wrote: >> On Thursday, April 13, 2017 at 11:26:07 PM UTC-4, cooloutac wrote: >>> So probably the kernels are not actually vulnerable, They fixed it a year >>> ago with patches, and with Qubes you assume this sort of priv escl thing >>> regardless which is why they don't even bother with sudo. >> Actually when it comes to redhat they claim the code was never there to >> exploit. But redhat might not apply to fedora kernel so I'm kind of curious >> myself now. >> > For those who are concerned, this is what is currently in the Qubes > repository for dom0: > > current: kernel-4.4.38, kernel-qubes-vm-4.4.38 > > current-testing: kernel-4.4.55, kernel-qubes-vm-4.4.55 > > > From what I can tell, the Qubes Kernel is built from the stock kernel > source, so if this bug was fixed months ago, you could probably install > either and be fine (assuming you're running R3.2). > [...]
According to [1], linux <= 4.4.60 is affected. The patch was but on 4.5-rc1 branch on Dec. 15, but this doesn't mean it got backported to older kernels as it was not tagged as a security issue before (eg. debian's DSA mentioned "A regression in the UDP implementation prevented freeradius and some other applications from receiving data." as the reason for their backporting the patch, if I read correctly) Which, unless fedora's (or qubes') kernel has been using a patch for this despite it not being tagged as a security issue until now, would mean qubes' current kernels are all vulnerable. HTH, Leo [1] https://nvd.nist.gov/vuln/detail/CVE-2016-10229 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/86219df3-c3a2-bcfd-196a-5dec6b714cec%40gaspard.io. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature
