On Fri, Apr 14, 2017 at 01:21:33AM -0600, Reg Tiangha wr,te: > On 04/14/2017 12:38 AM, Leo Gaspard wrote: > According to [1], linux <= 4.4.60 is affected. The patch was but on > 4.5-rc1 branch on Dec. 15, but this doesn't mean it got backported to > older kernels as it was not tagged as a security issue before (eg. > debian's DSA mentioned "A regression in the UDP implementation prevented > freeradius and some other applications from receiving data." as the > reason for their backporting the patch, if I read correctly) > > Which, unless fedora's (or qubes') kernel has been using a patch for > this despite it not being tagged as a security issue until now, would > mean qubes' current kernels are all vulnerable. > > HTH, > Leo > > ---- > > Ugh. If that's the case, then people should compile a 4.4.61 kernel for > themselves (that was released on Apr 12 so it's the most recent in that > branch) since Qubes builds its kernel off the vanilla kernel (it's > pretty easy do and like I said before, it should build with no problems, > but make sure you have 4GB of free space in /home before you do since > the compilation needs that much to complete); not sure if/when that'll > appear in the official Qubes repositories so until then, we're all on > our own. >
I think everyone should calm down. :-) If you look at the source for 4.4.38 used to build the kernel used in Qubes, you will see that it already contains the patch. That's linux-4.4.38 from 10-Dec-2016 Qubes kernel version 4.4.38-11 was built 12-Dec-2016, and incorporates that patch, so if you keep your system updated you are already covered. Did the vulnerability exist in the past? Of course. Have you been affected? That seems unlikely to me, since as Vit points out, it requires a specific mode which you aren't likely to have been running, particularly not in sys-net. If you are worried about compromise - good. That's what Qubes aims to address. Your use patterns should protect you against compromise of individual qubes. Has your Qubes been compromised, in the sense that everything is now open to a remote attacker? Not, I think, because of this issue. As always, I'm open to other arguments, but it's a huge step from this old vulnerability to worrying about my Qubes infrastructure being compromised, and I haven't seen anything that makes me think that's likely or even possible. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170414135434.GA29165%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
