Uploading linux (5.9.8-1)
Hi I would like to upload linux version 5.9.8-1 to unstable later today[*]. This is catching up with recent stable versions from the v5.9.y stable series including various bugfixes and adds as well the mitigation/fix for CVE-2020-8694. Depending on the upload time, we might include the 5.9.9 upstream version as well. An ABI bump for 5.9.8-1 is not planned but might be needed for 5.9.9. The pending changes in the packaging are: * [amd64] Enable SND_SOC_AMD_ACP3x, SND_SOC_AMD_RENOIR and SND_SOC_AMD_RENOIR_MACH (Closes: #973252) * [arm64] Add device tree for Kobol helios64 from rockchip next branch. * [arm64] NUMA: Kconfig: Increase NODES_SHIFT to 4 * [rt] Refresh "signals: Allow rt tasks to cache one sigqueue struct" * igc: Fix returning wrong statistics (Closes: #970722) * [armhf] dts: sun8i: a83t: Enable both RGMII RX/TX delay on Ethernet PHY (Closes: #973369) Regards, Salvatore [*] Actually only after the perl transition will be completed. signature.asc Description: PGP signature
Re: Uploading linux (5.9.6-1)
Florian, On Sun, Nov 08, 2020 at 04:09:43PM +0100, Florian La Roche wrote: > Hello Salvatore, > > for AMD Ryzen and AMD Renoir hardware support, the Debian kernel > "master" branch still has one > commit that is not merged into the "sid" branch until now. See this for > details: > > https://salsa.debian.org/kernel-team/linux/-/commit/4bc3f848e6e5b491047b5e298d6cf9ae7b85727a > > Would be great to get this merged into 5.9 Debian kernel releases and > not have this pushed out to > 5.10 Debian kernels. It only enables further kernel modules, so should > be real save. For the record: the change will be in the next unstable upload as well (rather as initially planned in the experimental one). Hope this will help, Regards, Salvatore
Bug#973369: linux-image-5.9.0: No network at Banana Pi M3
On 2020-11-17, Salvatore Bonaccorso wrote: > On Mon, Nov 09, 2020 at 02:32:21PM +0100, Bernhard wrote: >> Regarding correction: >> https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/arch/arm/boot/dts/sun8i-a83t-bananapi-m3.dts?h=next-20201029=57dbe558457bf4042169bc1f334e3b53a8480a1c >> >> Currently, i had a look at kernel.org: >> In kernel 5.9.6, the necessary correction is not included. >> Also in kernel 5.10-RC3, this correction is not included. >> >> Without this correction, the on-board-ethernet of my Banana Pi M3 is not >> working. >> An external attached USB-->LAN interface works. >> >> Do you think, there is a chance to add the very small correction to the >> Debian kernel? >> >> Best regards and thank you for your great support. > > I have applied the change in > https://salsa.debian.org/kernel-team/linux/-/commit/0cfcaef8b5e52549952e89cb31cff1530a5efa42 > . > > Vagrant, can you double-check please. I don't think I have any affected hardware to test on, sorry. live well, vagrant signature.asc Description: PGP signature
Processed (with 1 error): unarchiving 967546, cloning 967546, reassign -1 to initramfs-tools ...
Processing commands for cont...@bugs.debian.org:
> unarchive 967546
> clone 967546 -1
Bug #967546 {Done: =?utf-8?q?Rapha=C3=ABl_Hertzog?=
} [udev] udev: missing /dev/stdin etc.
Bug 967546 cloned as bug 975018
970678 was blocked by: 975017 967546
970678 was not blocking any bugs.
Added blocking bug(s) of 970678: 975018
> reassign -1 initramfs-tools
Bug #975018 {Done: =?utf-8?q?Rapha=C3=ABl_Hertzog?=
} [udev] udev: missing /dev/stdin etc.
Bug reassigned from package 'udev' to 'initramfs-tools'.
No longer marked as found in versions systemd/246-2.
No longer marked as fixed in versions debian-installer-utils/1.134.
> retitle -1 setup /dev/stdin etc in initramfs-tools
Bug #975018 {Done: =?utf-8?q?Rapha=C3=ABl_Hertzog?=
} [initramfs-tools] udev: missing /dev/stdin
etc.
Changed Bug title to 'setup /dev/stdin etc in initramfs-tools' from 'udev:
missing /dev/stdin etc.'.
> thanks
Stopping processing here.
Please contact me if you need assistance.
--
967546: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=967546
970678: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970678
975018: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975018
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
Bug#970699: linux: Enable amd_energy driver
On Fri, 2020-11-13 at 14:56 +0100, Salvatore Bonaccorso wrote: > If we are going to enable this for our builds, then we might need to > check that https://bugzilla.redhat.com/show_bug.cgi?id=1897402 is not > opened accordingly. > > This relates to > > https://support.lenovo.com/lu/uk/product_security/LEN-50481 > > and probably the reason for > > https://lore.kernel.org/stable/238e3cf7-582f-a265-5300-9b4494810...@roeck-us.net/T/#m11dee15be8c238d8858aafdf1a57e9ad7e0b9670 Thanks for the response! I skimmed through the paper covering the CVE and they mostly focused on Intel SGX and only touched upon AMD briefly. They did there measurements with disabled boost and fixed frequency, a configuration that no system in the wild actually uses. Moreover the energy counters are exposed as an MSR, so in my opinion this is more of a CPU-level bug. Personally I feel like recent security efforts are often crippling usability for negligible gains. Just my two cents! signature.asc Description: This is a digitally signed message part
Processed: tagging 973369
Processing commands for cont...@bugs.debian.org: > tags 973369 + upstream fixed-upstream Bug #973369 [src:linux] linux-image-5.9.0: No network at Banana Pi M3 Added tag(s) upstream and fixed-upstream. > thanks Stopping processing here. Please contact me if you need assistance. -- 973369: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973369 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#973369: linux-image-5.9.0: No network at Banana Pi M3
Processing control commands: > tags -1 + patch pending Bug #973369 [src:linux] linux-image-5.9.0: No network at Banana Pi M3 Added tag(s) pending and patch. -- 973369: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973369 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#973369: linux-image-5.9.0: No network at Banana Pi M3
Control: tags -1 + patch pending Hi, On Mon, Nov 09, 2020 at 02:32:21PM +0100, Bernhard wrote: > Hello Vagrant > > Regarding correction: > https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/arch/arm/boot/dts/sun8i-a83t-bananapi-m3.dts?h=next-20201029=57dbe558457bf4042169bc1f334e3b53a8480a1c > > Currently, i had a look at kernel.org: > In kernel 5.9.6, the necessary correction is not included. > Also in kernel 5.10-RC3, this correction is not included. > > Without this correction, the on-board-ethernet of my Banana Pi M3 is not > working. > An external attached USB-->LAN interface works. > > Do you think, there is a chance to add the very small correction to the > Debian kernel? > > Best regards and thank you for your great support. I have applied the change in https://salsa.debian.org/kernel-team/linux/-/commit/0cfcaef8b5e52549952e89cb31cff1530a5efa42 . Vagrant, can you double-check please. Regards, Salvatore
Bug#898446: Please reconsider enabling the user namespaces by default
On Tue, 2020-11-17 at 11:18 -0500, Antoine Beaupré wrote: [...] > Could we get a little more hard data about the attack vectors here? I > totally trust the security team's "gut feeling" on this, but it would be > great to be able to evaluate more concretely what we're talking about > here. > > Local root privilege escalation, basically? Can we get a sense of what > those vulerabilities are, say with some example CVEs? Yes, local privilege escalation. From the advisories I've prepared, I think these are all LPEs that were mitigated by our current patch: CVE-2015-2041 CVE-2015-8709 CVE-2016-3134 CVE-2016-8655 CVE-2017-6346 CVE-2017-7184 CVE-2017-7308 CVE-2017-11600 CVE-2017-15649 CVE-2017-16939 CVE-2017-18509 CVE-2017-1000111 CVE-2018-16884 CVE-2019-15666 CVE-2020-14386 They seem to have slowed to a trickle at this point. And there are sadly lots of other LPE bugs that it has no effect on. > I'm asking because my main concern with security these days is with the > web browser. It's this huge gaping hole: every measure we can take to > sandbox that thing is become more and more critical, so I wonder if the > our tradeoff's evaluation is well adjusted here, especially considering > a lot of user_ns consumers are bypassing those restrictions by running > as root anyways... I tend to agree with this. Ben. > It seems that, in those cases, we're getting the worst of both worlds... > > a. -- Ben Hutchings Usenet is essentially a HUGE group of people passing notes in class. - Rachel Kadel, `A Quick Guide to Newsgroup Etiquette' signature.asc Description: This is a digitally signed message part
Bug#898446: Please reconsider enabling the user namespaces by default
On 2020-10-22 22:55:33, Salvatore Bonaccorso wrote: > Hi, > > On Tue, Oct 20, 2020 at 05:21:24PM +0100, Simon McVittie wrote: >> On Thu, 16 Apr 2020 at 03:09:25 +0100, Ben Hutchings wrote: >> > I don't think we should keep patching in >> > kernel.unprivileged_userns_clone forever, so the documented way to >> > disable user namespaces should be setting user.max_user_namespaces to >> > 0. But then there's no good way to have a drop-in file that changes >> > back to the upstream default, because that's dependent on system memory >> > size. >> > >> > So I think we should do something like this: >> > >> > * Document user.max_user_namespaces in procps's shipped >> > /etc/sysctl.conf >> > * Set kernel.unprivileged_userns_clone to 1 by default, and deprecate >> > it (log a warning if it's changed) >> > * Document the change in bullseye release notes >> >> Is this something you intend to do before bullseye, or is it now going >> to be after bullseye? >> >> If this is intended to happen before bullseye, I'd like enough time >> before the freeze to put an as-graceful-as-possible transition in place >> in the bubblewrap package. >> >> (I'm not sure what form that transition should take - suggestions welcome! >> Ideally I'd like bubblewrap to be setuid root if and only if we are still >> using a kernel where it needs to be.) > > TBH, I think not having it enabled by default until now saved us a > couple of time from needing to release urgent fixes. It is more a gut > feeling and might not have enough weight: but having it still disabled > in bullseye by default we would be still better of from security > releases/DSA's perspectives. Could we get a little more hard data about the attack vectors here? I totally trust the security team's "gut feeling" on this, but it would be great to be able to evaluate more concretely what we're talking about here. Local root privilege escalation, basically? Can we get a sense of what those vulerabilities are, say with some example CVEs? I'm asking because my main concern with security these days is with the web browser. It's this huge gaping hole: every measure we can take to sandbox that thing is become more and more critical, so I wonder if the our tradeoff's evaluation is well adjusted here, especially considering a lot of user_ns consumers are bypassing those restrictions by running as root anyways... It seems that, in those cases, we're getting the worst of both worlds... a. -- It is a miracle that curiosity survives formal education - Albert Einstein
Processed: Re:
Processing commands for cont...@bugs.debian.org: > tags 972547 upstream Bug #972547 [src:linux] linux-image-4.19.0-12-amd64: Freezing when unplugging wireless network adapter usb Added tag(s) upstream. > End of message, stopping processing here. Please contact me if you need assistance. -- 972547: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972547 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#974939: machine does not boot
Processing control commands: > severity -1 important Bug #974939 [src:linux] machine does not boot Bug #971535 [src:linux] this package makes my laptop almost unbootable Ignoring request to change severity of Bug 974939 to the same value. Ignoring request to change severity of Bug 971535 to the same value. -- 971535: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971535 974939: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=974939 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#974939: machine does not boot
Control: severity -1 important On Mon, Nov 16, 2020 at 07:41:05PM +, Toni wrote: > Severity: critical Sorry, no. This problem does not break the package for everyone. > On the console, after dmesg, these three lines repeat ad nauseum: > mdadm: No arrays found in config file or automatically > Volume group "ev0" not found > Cannot process volume group ev0 > mdadm: No arrays found in config file or automatically > Volume group "ev0" not found > Cannot process volume group ev0 So it actually boots, but the boot process is not able to find your root filesystem? > The disk configuration is pretty straightforward: > > git:(master*)$ lsblk > NAMEMAJ:MIN RM SIZE RO TYPE MOUNTPOINT > nvme0n1 259:00 953.9G 0 disk > ├─nvme0n1p1 259:10 238.4M 0 part > ├─nvme0n1p2 259:20 3.5G 0 part > ├─nvme0n1p3 259:30 953M 0 part /boot > └─nvme0n1p4 259:40 949.2G 0 part > └─nvme0n1p4_crypt 253:00 949.2G 0 crypt > ├─ev0-swap 253:10 29.8G 0 lvm [SWAP] > ├─ev0-root 253:20 789.4G 0 lvm / Yes, that look pretty normal and like something the Debian installer would create. What is the content of /etc/crypttab? /etc/fstab? /boot/grub/grub.conf? What do you have mdadm for? Regards, Bastian -- You can't evaluate a man by logic alone. -- McCoy, "I, Mudd", stardate 4513.3
Bug#974939: machine does not boot
Control: tag -1 moreinfo Control: severity -1 important On Mon, 2020-11-16 at 19:41 +, Toni wrote: > Package: src:linux > Version: 4.19.152-1 > Severity: critical > > > Hi, > > with the two latest kernels, linux-image-4.19.0-12-amd64 and > linux-image-4.19.0-11-amd64, my machine does not boot, the reason being > that something with cryptsetup is amiss. I used to be asked for a > passphrase, but using these two kernels, I'm not, and the machine just > cycles trying to find the root partition. I am now running the -10 > kernel again, which I would like to get off of. I've tried recovery mode > without any success. This is probably an issue with the initramfs built for this kernel, and not with the kernel itself. Please send the output of the command: lsinitramfs /boot/initrd.img-4.19.0-12-amd64 > On the console, after dmesg, these three lines repeat ad nauseum: > > mdadm: No arrays found in config file or automatically > Volume group "ev0" not found > Cannot process volume group ev0 > mdadm: No arrays found in config file or automatically > Volume group "ev0" not found > Cannot process volume group ev0 [...] If you wait for about 30 seconds you should get a shell with the prompt "(initramfs)". At the shell prompt, run: ls -l /dev/nvme* Are the expected partitions listed? Ben. -- Ben Hutchings Usenet is essentially a HUGE group of people passing notes in class. - Rachel Kadel, `A Quick Guide to Newsgroup Etiquette' signature.asc Description: This is a digitally signed message part
Processed: Re: Bug#974939: machine does not boot
Processing control commands: > tag -1 moreinfo Bug #974939 [src:linux] machine does not boot Bug #971535 [src:linux] this package makes my laptop almost unbootable Added tag(s) moreinfo. Added tag(s) moreinfo. > severity -1 important Bug #974939 [src:linux] machine does not boot Bug #971535 [src:linux] this package makes my laptop almost unbootable Severity set to 'important' from 'critical' Severity set to 'important' from 'critical' -- 971535: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971535 974939: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=974939 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: maintenance
Processing commands for cont...@bugs.debian.org: > severity 971535 critical Bug #971535 [src:linux] this package makes my laptop almost unbootable Severity set to 'critical' from 'important' > merge 974939 971535 Bug #974939 [src:linux] machine does not boot Bug #974939 [src:linux] machine does not boot Marked as found in versions linux/4.19.146-1. Bug #971535 [src:linux] this package makes my laptop almost unbootable Marked as found in versions linux/4.19.152-1. Merged 971535 974939 > thanks Stopping processing here. Please contact me if you need assistance. -- 971535: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971535 974939: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=974939 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed (with 1 error): maintenance
Processing commands for cont...@bugs.debian.org: > merge 974939 971535 Bug #974939 [src:linux] machine does not boot Unable to merge bugs because: severity of #971535 is 'important' not 'critical' Failed to merge 974939: Did not alter merged bugs. > thanks Stopping processing here. Please contact me if you need assistance. -- 971535: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971535 974939: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=974939 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
