Vulnerability in the linux kernel... when 7.0.1?

21 replies [Last post]
B50D
Offline
Joined: 05/30/2015
B50D
Offline
Joined: 05/30/2015

*when trisquel 7.0.1?

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

Ciao BSOD!
Indeed the kernel for Buguntu 14.04 LTS and all the derivatives using that kernel (like Triquel 7) must upgrade to linux-image-3.13.0-68 (3.13.0-68.111)

uname -a will give you the output of what kernel is currently running on your OS. I guess the developers already pushed the updated kernel. If not, I would suggest you install the latest jxself's libre kernel 4.3

pizzaiolo
Offline
Joined: 03/12/2015

BSOD: A possible workaround is to use the latest kernel: https://jxself.org/linux-libre/

onpon4
Offline
Joined: 05/30/2012

There's no need for a "workaround". Trisquel is up-to-date here.

B50D
Offline
Joined: 05/30/2015

ok but all the people who download the iso and boot trisquel in live have this vulnerability, and not only this

onpon4
Offline
Joined: 05/30/2012

Do you have any idea how often security vulnerabilities are discovered and fixed? It would be terribly impractical to release a new live ISO every time this happens, and no distro does this (edit: except distros that are designed to always be run from a live CD, and never installed, like Tails). New ISOs are either released when a new major version of the system is released, or in regular intervals of something like 6 months or a year. In the latter case, the purpose isn't to patch security vulnerabilities, it's to reduce the amount of time a new user has to spend installing updates, or in some cases to provide newer kernels so that the system can more easily be installed on newer hardware.

Making sure the system is up-to-date is why Ubiquity offers the option to download updates while installing. But even if the user chooses not to do this, the danger is minimal as long as updates are installed before too long.

Pyraman
Offline
Joined: 06/05/2014

In any case, I think it is a perfect time to release a new version of Trisquel ISO,
because it has not been updated for 1.5 years already... With such rare update frequency,
head Trisquel developers might simply forget how to build a Trisquel ISO when such need arises in future

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

> it has not been updated for 1.5 years already

Trisquel 7 was released on 11/03/2014

onpon4
Offline
Joined: 05/30/2012

> With such rare update frequency,
head Trisquel developers might simply forget how to build a Trisquel ISO

What an astonishingly low opinion of the Trisquel developers' memory capacity...

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

^ lol Onpon
I didn't even read that part :)

vita_cell
Offline
Joined: 07/19/2015

No problem here, cuz GNU update system it is not like fully bloated "Windows Bugdate". In GNU you can update easyly and very very fast.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

Hmm, don't you need to reboot in order for the kernel to get actually upgraded or am I wrong?

vita_cell
Offline
Joined: 07/19/2015
SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

well, that doesn't apply to Trisquel 7 live. So, yeah, as BSOD pointed out it is vulnerable.

hack and hack
Offline
Joined: 04/02/2015

What about the updates that can be done during the installation? Is it something different?

Calinou
Offline
Joined: 03/08/2014

During installation, you can choose if updates are downloaded if you have an Internet connection, but they will never be installed automatically. When you boot the installed system for the first time, it will prompt you to install the updates directly, which will require a reboot since the kernel is almost always updated after the release.

hack and hack
Offline
Joined: 04/02/2015

I see, thanks for the clarification.
I don't understand italian, so it makes that vulnerability even scarier.
What does it says about that vulnerability?
What I'm barely deciphering is that it allows a DDOS attack from KVM, and that Canonical released a patch.

What does it say about the LiveCD?
Does that mean that jxself's upgrade is good enough?
What about the reboot, how would that be a problem?

onpon4
Offline
Joined: 05/30/2012

You mean the article the OP linked to? It references this article which is in English:

http://linux.softpedia.com/blog/canonical-patches-linux-kernel-vulnerability-in-ubuntu-15-10-15-04-14-04-and-12-04-lts-495939.shtml

So, it's a vulnerability that makes it possible for someone to crash your system. Not especially dangerous for typical desktop users.

hack and hack
Offline
Joined: 04/02/2015

I see, thanks.

Wait, is that a vulnerability that allows an attacker on KVM ON THE SAME MACHINE to launch a DOS attack?
That would be troublesome IF the machine is stolen, and not encrypted of course. Otherwise, it doesn't seem like a threat at all.

That might be another quick conclusion from me, but from what I gather, it's not a dangerous vulnerability.
I guess there might be a way to implement such an attack against a fresh install, but regarding the necessary and unlikely conditions for the attack to happen, this can't seriously be considered a threat.

onpon4
Offline
Joined: 05/30/2012

There's really no need to analyze the danger of it. It's fixed. Trisquel is up-to-date. (This was already the case when this topic was started.)

hack and hack
Offline
Joined: 04/02/2015

Not that I'm worried or anything (my line on italian language above is not to be taken seriously), specially if my analysis is correct: I just find this interesting. But since it's already fixed, it's even better.