Re: [DNG] Kernel Vulnerabilities or who understands this mess
On 3/10/22 04:29, Olaf Meeuwissen via Dng wrote: Hi, Ken Dibble writes: Well, a consequence of this investigation was that I was forced to double check some things. The thing I found is that the default /etc/apt/sources.list has chimaera-updates and chimaera-security commented out. Is this really well thought out? I would think that most people would want those enabled. The *-security entry is enabled by default, IIRC, *unless* the installer was not able to contact it. This *may* have happened if you used an installer while chimaera was not yet released. Obviously, if you installed without a network connection, it will be disabled. Your sources.list should have appropriate comments if the installer disabled it. Whether you want *-updates enabled is debatable. And while writing this up I suddenly seem to remember the installer asking me what to enable/disable. That may have been an advanced mode installation though. Hope this helps, -- Olaf MeeuwissenFSF Associate Member since 2004-01-27 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9 Support Free Softwarehttps://my.fsf.org/donate Join the Free Software Foundation https://my.fsf.org/join ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng For a sanity check, I did a fresh install in a vm. Indeed, things are as you suggested they should be. I have to assume that I made the same mistake repeatedly, on multiple installs, choosing a wrong option somewhere, as all the devices had identical sources.list files and there were no comments in any of them about the network being unavailable (I rarely have network connectivity issues). The only choice that I can think of would have been during the install, declining additional sources, thinking that it only meant local physical media. Sorry for the noise, and thanks again. Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Kernel Vulnerabilities or who understands this mess
Hi, Ken Dibble writes: > Well, a consequence of this investigation was that I was forced to > double check some things. > > The thing I found is that the default /etc/apt/sources.list has > chimaera-updates and chimaera-security commented out. > Is this really well thought out? > I would think that most people would want those enabled. The *-security entry is enabled by default, IIRC, *unless* the installer was not able to contact it. This *may* have happened if you used an installer while chimaera was not yet released. Obviously, if you installed without a network connection, it will be disabled. Your sources.list should have appropriate comments if the installer disabled it. Whether you want *-updates enabled is debatable. And while writing this up I suddenly seem to remember the installer asking me what to enable/disable. That may have been an advanced mode installation though. Hope this helps, -- Olaf MeeuwissenFSF Associate Member since 2004-01-27 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9 Support Free Softwarehttps://my.fsf.org/donate Join the Free Software Foundation https://my.fsf.org/join ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Kernel Vulnerabilities or who understands this mess
On Wednesday 09 March 2022 at 15:04:09, Stuart Duckworth via Dng wrote: > On Tue, 8 Mar 2022 at 18:41, Ken Dibble wrote: > > > > The thing I found is that the default /etc/apt/sources.list has > > chimaera-updates and chimaera-security commented out. > > Is this really well thought out? > > I would think that most people would want those enabled. > > I have the same problem with Beowulf, the updates etc. commented out. When > I uncomment them I get an error when I try to update my applications. What error message do you get? Antony. -- 1960s: Let's build a network which can withstand a nuclear war! 1970s: Hm, that looks good, we'll run it on TCP/IPv4. 1980s: Nice, how about letting everyone join? 1990s: Hey, you can make money out of this! 2000s: Oh, you can lose it, too. 2010s: Alright, let's just plug absolutely everything into it. 2020s: Meh, my lightswitch is now connected to my lamp via China. Please reply to the list; please *don't* CC me. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Kernel Vulnerabilities or who understands this mess
On Tue, 8 Mar 2022 at 18:41, Ken Dibble wrote: > Well, a consequence of this investigation was that I was forced to > double check some things. > > The thing I found is that the default /etc/apt/sources.list has > chimaera-updates and chimaera-security commented out. > Is this really well thought out? > I would think that most people would want those enabled. > Again, sorry for the noise. > I have the same problem with Beowulf, the updates etc. commented out. When I uncomment them I get an error when I try to update my applications. Stuart Duckworth ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Kernel Vulnerabilities or who understands this mess
Well, a consequence of this investigation was that I was forced to double check some things. The thing I found is that the default /etc/apt/sources.list has chimaera-updates and chimaera-security commented out. Is this really well thought out? I would think that most people would want those enabled. Again, sorry for the noise. Ken On 3/8/22 07:15, Ludovic Bellière wrote: Hello Ken. Various things that people might find helpful: 1) BleepingComputer talks about CVE-2022-0847, not -0487 which is another unimportant issue. 2) If you want to be kept aware of security issues involving debian, you should subscribe to debian-security-annou...@lists.debian.org 3) To take a gander at the state of the linux kernel shipped with the various version of debian, there is this tracker: https://security-tracker.debian.org/tracker/source-package/linux You can see in the tracker that CVE-2022-0847 is resolved. See DSA-5092-1 and https://security-tracker.debian.org/tracker/CVE-2022-0847 As a rule of thumb, you should trust debian's various trackers to report the effective state of each package. Cheers, Ludovic On Mon, 07 Mar 2022, Ken Dibble wrote: Sorry for the noise, but the conflicting information, or possibly my misinterpretation of information, leaves me with some questions. BleepingComputer is reporting in an article dated 3-7-2022 that CVE-2022-0847 is being exploited and Max Kellerman says that all 5.8 and later kernels are affected. The article goes on and says that it is fixed in 5.16.11, 5.15.25, and 5.10.102. Debian says it is fixed in 5.10.92-2. There is no mention of the backported kernel branch 5.14 other than being "5.8 or later". Chimaera is still at 5.10.84-1. I have multiple machines running the 5.14.9-2~bpo11+1 kernel. Can someone help with a definitive answer on what kernels are and are not safe(fixed)? Thanks. Ken -- ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Kernel Vulnerabilities or who understands this mess
Hello Ken. Various things that people might find helpful: 1) BleepingComputer talks about CVE-2022-0847, not -0487 which is another unimportant issue. 2) If you want to be kept aware of security issues involving debian, you should subscribe to debian-security-annou...@lists.debian.org 3) To take a gander at the state of the linux kernel shipped with the various version of debian, there is this tracker: https://security-tracker.debian.org/tracker/source-package/linux You can see in the tracker that CVE-2022-0847 is resolved. See DSA-5092-1 and https://security-tracker.debian.org/tracker/CVE-2022-0847 As a rule of thumb, you should trust debian's various trackers to report the effective state of each package. Cheers, Ludovic On Mon, 07 Mar 2022, Ken Dibble wrote: Sorry for the noise, but the conflicting information, or possibly my misinterpretation of information, leaves me with some questions. BleepingComputer is reporting in an article dated 3-7-2022 that CVE-2022-0847 is being exploited and Max Kellerman says that all 5.8 and later kernels are affected. The article goes on and says that it is fixed in 5.16.11, 5.15.25, and 5.10.102. Debian says it is fixed in 5.10.92-2. There is no mention of the backported kernel branch 5.14 other than being "5.8 or later". Chimaera is still at 5.10.84-1. I have multiple machines running the 5.14.9-2~bpo11+1 kernel. Can someone help with a definitive answer on what kernels are and are not safe(fixed)? Thanks. Ken -- signature.asc Description: PGP signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Kernel Vulnerabilities or who understands this mess
Thank you for posting about this. I literally just did a kernel upgrade when this message came in. Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Tuesday, March 8, 2022 2:25 AM, Ken Dibble wrote: > Sorry for the noise, but the conflicting information, or possibly my > misinterpretation of information, > > leaves me with some questions. BleepingComputer is reporting in an > article dated 3-7-2022 that CVE-2022-0847 is being exploited and Max > Kellerman says that all 5.8 and later kernels are affected. > > The article goes on and says that it is fixed in 5.16.11, 5.15.25, and > 5.10.102. > > Debian says it is fixed in 5.10.92-2. > > There is no mention of the backported kernel branch 5.14 other than > being "5.8 or later". > > Chimaera is still at 5.10.84-1. > > I have multiple machines running the 5.14.9-2~bpo11+1 kernel. > > Can someone help with a definitive answer on what kernels are and are > not safe(fixed)? > > Thanks. > > Ken > > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Kernel Vulnerabilities or who understands this mess
Hi, Ken Dibble writes: > Sorry for the noise, but the conflicting information, or possibly my > misinterpretation of information, > > leaves me with some questions. BleepingComputer is reporting in an > article dated 3-7-2022 that CVE-2022-0847 is being exploited and Max > Kellerman says that all 5.8 and later kernels are affected. > > The article goes on and says that it is fixed in 5.16.11, 5.15.25, and > 5.10.102. > > Debian says it is fixed in 5.10.92-2. > > There is no mention of the backported kernel branch 5.14 other than > being "5.8 or later". > > Chimaera is still at 5.10.84-1. > > I have multiple machines running the 5.14.9-2~bpo11+1 kernel. > > Can someone help with a definitive answer on what kernels are and are > not safe(fixed)? Running 5.16.11-1 on daedalus myself (according to uname -a). I checked the /usr/share/doc/linux-image-amd64/changelog.gz and found linux (5.16.10-1) unstable; urgency=medium - moxart: fix potential use-after-free on remove path (CVE-2022-0487) so I'd say, check your kernel images' changelog for mention(s) of any CVE(s) that worry you. Oops! Just noticed that dyslexia got the better of me. Looks like my kernel is not fixed yet. Not too surprising when running "testing". Anyway, the advice should still be good though ;-) But seeing you said 5.16.11 is fixed, I took a peek at the upstream changelog at https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.11 mentioned in that changelog.gz and while I could not find the CVE, searching for Max Kellerman, I did find commit eddef98207d678f21261c2bd07da55938680df4e Author: Max Kellermann Date: Mon Feb 21 11:03:13 2022 +0100 lib/iov_iter: initialize "flags" in new pipe_buffer commit 9d2231c5d74e13b2a0546fee6737ee4446017903 upstream. The functions copy_page_to_iter_pipe() and push_pipe() can both allocate a new pipe_buffer, but the "flags" member initializer is missing. Fixes: 241699cd72a8 ("new iov_iter flavour: pipe-backed") To: Alexander Viro To: linux-fsde...@vger.kernel.org To: linux-ker...@vger.kernel.org Cc: sta...@vger.kernel.org Signed-off-by: Max Kellermann Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman so it looks like I'm good after all :-) Hope this helps, -- Olaf MeeuwissenFSF Associate Member since 2004-01-27 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9 Support Free Softwarehttps://my.fsf.org/donate Join the Free Software Foundation https://my.fsf.org/join ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Kernel Vulnerabilities or who understands this mess
Sorry for the noise, but the conflicting information, or possibly my misinterpretation of information, leaves me with some questions. BleepingComputer is reporting in an article dated 3-7-2022 that CVE-2022-0847 is being exploited and Max Kellerman says that all 5.8 and later kernels are affected. The article goes on and says that it is fixed in 5.16.11, 5.15.25, and 5.10.102. Debian says it is fixed in 5.10.92-2. There is no mention of the backported kernel branch 5.14 other than being "5.8 or later". Chimaera is still at 5.10.84-1. I have multiple machines running the 5.14.9-2~bpo11+1 kernel. Can someone help with a definitive answer on what kernels are and are not safe(fixed)? Thanks. Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng