Linux Kernel 0day

[cb474]

Does anyone know if this extremely bad 0day bug in the linux kernel has been patched in LMDE?

http://perception-point.io/2016/01/14/a ... 2016-0728/
http://arstechnica.com/security/2016/01 ... id-phones/

I found a tracker for the bug at Debian, but the version numbers for the LMDE kernel seem to be a bit different, so I can't tell if LMDE has been patched or not:

https://security-tracker.debian.org/tra ... -2016-0728

According to that the Jessie kernel remains vulnerable, but not the "Jessice (security)" kernel. I don't really understand the difference between the two kernels.

*

In fact, on my system it's a bit confusing what kernel I have running. If I use the "uname -r" command, it tells me I'm running "3.16.0-4-amd64." But if I look in Synaptic it lists the name of the package in the package column for the "linux-image" and "linux-headers" as "3.16.0-4-amd64," but in the "installed version" column it lists "3.16.7-ckt9-3+deb8u1" (which is older than the vulnerable Jessie kernel in the debian tracker for this 0day). It also shows that there is a newer version in the "latest version" column in Synaptic, "3.16.7-ckt20-1+deb8u3" (which is the patched version listed in the tracker for the 0day).

So I'm confused by the naming pattern for the kernel in LMDE and I'm confused why the package name doesn't accurately reflect the actual kernel version. And if there is a newer version in Synaptic, why is the the LMDE updater not offerring to install it? Should I just upgrade in Synaptic, to get the patch?

[Dr. Octagon]

It was fixed three days ago in LMDE2/Debian... with normal configuration, don't panic!
Even though it was not a critical flaw, because it wasn't executed without physical access to the machine... and it needs many minutes to "break" something in any case!

If the kernel update isn't available to you, you should mark in the options of the update manager "show security updates everytime (even if they are of category 5 like kernel updates)" -> i don't know what it was like in an english environment... just a simple how to try from my side.

In other words: Yes, you can install the newer kernel via synaptic... but be aware... it is category 5... On my side there are no bugs encountered by now.

Cu
Dr. Octagon

[killer de bug]

Debian is always very reactive for security problem. No need to worries. Especially with Debian Stable. They take a great care of it.
As mentioned, we have seen this update a few days ago already.

[bigbenaugust]

The backports kernel got updated today also... no points for guessing why.

[exploder]

I echo what killer de bug stated! Debian is very good about security and I have yet to have ever had any issue with a Debian security update.

[bigbenaugust]

I run LMDE with some backports packages on my workstation at work, and it gets security scanned weekly. Not only do I come up clean every time (which has been an issue with some other distros), I had to turn off SSH connection throttling for the security scanner IPs because it was causing scans to fail.

[cb474]

It was fixed three days ago in LMDE2/Debian... with normal configuration, don't panic!
Even though it was not a critical flaw, because it wasn't executed without physical access to the machine... and it needs many minutes to "break" something in any case!

If the kernel update isn't available to you, you should mark in the options of the update manager "show security updates everytime (even if they are of category 5 like kernel updates)" -> i don't know what it was like in an english environment... just a simple how to try from my side.

In other words: Yes, you can install the newer kernel via synaptic... but be aware... it is category 5... On my side there are no bugs encountered by now.

Cu
Dr. Octagon

Thanks for the explanation about the settings in the update manager. I naively assumed that showing security updates would be the default setting in LMDE and didn't realize there were as many options in there as there are.

Thanks to everyone else for the replies also. I know Debian is good about security. I ran a Debian testing/unstable system for a long time, years ago. And I think it was clear in my first post that I knew Debian had already patched the kernel. I explicity linked to the Debian issue tracker showing that.

So it wasn't Debian I was worried about. It was LMDE. They're close, but they're not synonymous.

To be fair, LMDE and Mint in general have not always made security a top priority, in my experience (as someone who used LMDE from day one). Case in point, not pushing out the patched kernel right away. Maybe it could cause problems, although the one thing I've never had a problem with is running the latest kernel. Indeed, I run Arch on another machine and always have the newest most up to date kernel and over years that is the one package update that has never caused me problems. But maybe for other more sophisticated uses it does. Anyway, it seems like security and useability have to be weighed against each other. This kernel bug seems serious enough that it should get pushed directly to LMDE users. And LMDE users are the type of people prepared for a little breakage. That's how I see it.

[bigbenaugust]

But that was the first iteration of LMDE, based on Debian Testing (which I don't think gets security updates), with all of the "update pack" silliness of staged updates and instability. LMDE2 gets around all of that by just using Debian Stable.

[cb474]

But that was the first iteration of LMDE, based on Debian Testing (which I don't think gets security updates), with all of the "update pack" silliness of staged updates and instability. LMDE2 gets around all of that by just using Debian Stable.

Nonetheless, Debian Jessie has already had the security update of the kernel pushed out to the system for end users. In fact, it went out on January 2, well before the public announcement of the security vulnerability. Whereas for some reason it is still being held back as "unstable" by LMDE. So LMDE, as I said, is not updated in exactly the same way as Debian.

I don't know what the reason is for this, since I would assume anything Debian thought was good enough to push out to stable is, well, more than good enough for LMDE. I do recall Clem once saying that security was not the top goal of LMDE. Yes, the shift to LMDE 2 did allow for more stablity and timely security updates. But it still appears that a different set of choices are being made about how to issue updates, than the choices of Debian itself.

I really don't get it. I would think the default setting in the LMDE updater should be to accept security updates always. More sophisticated users can choose not to do that if they have a reason.

[killer de bug]

Nonetheless, Debian Jessie has already had the security update of the kernel pushed out to the system for end users. In fact, it went out on January 2, well before the public announcement of the security vulnerability. Whereas for some reason it is still being held back as "unstable" by LMDE. So LMDE, as I said, is not updated in exactly the same way as Debian.

Well if you say this, then you don't understand how LMDE is working.
We got the update exactly at the same time than Debian, since we used exactly the same repo for this.

It is your call to display all updates available and apply them (either all, or by choosing). I got this fix at the same time than the other Debin users.

[cb474]

Nonetheless, Debian Jessie has already had the security update of the kernel pushed out to the system for end users. In fact, it went out on January 2, well before the public announcement of the security vulnerability. Whereas for some reason it is still being held back as "unstable" by LMDE. So LMDE, as I said, is not updated in exactly the same way as Debian.

Well if you say this, then you don't understand how LMDE is working.
We got the update exactly at the same time than Debian, since we used exactly the same repo for this.

It is your call to display all updates available and apply them (either all, or by choosing). I got this fix at the same time than the other Debin users.

I guess it seems to me that you're in fact misunderstanding how LMDE works, as well as having not read my post carefully.

The LMDE updater comes with a set of default settings. In those settings, always displaying security updates is disabled. So in a default configuration, LMDE users do not get all updates at the exact same time as in Debian Stable (i.e. Jessie).

Further, LMDE uses a rating system for updates. Currently the security update to the kernel is labeld "5," which is described in the updater as "unstable." Whereas in Debian this update was pushed straight out to Jessie and is considered stable.

So although technically all of the updates from Debian are available to LMDE users at the time they are issued, in practice, because of the way the LMDE updater works, the updates from Debian are treated differently by LMDE and are not necessarily rolled out to end users as quickly. In this case a kernel update that Debian considers stable, LMDE is treating as unstable (I really do not understand why).

Further, as I said, I don't see why the default setting in LMDE should be to not show all security updates. That seems like really backwards priorities. It's putting useability in all instances no matter how small above security, even with critical security updates. And this despite the fact that Debian considers these updates useable enough for it's stable distro (so it's hard to imagine the very small, if even existent, useability concerns that LMDE thinks are more important than critical security updates). I think if people want to opt out of immediate security updates that should be an option in the preferences, not the default setting.

So in effect the default settings in LMDE and the way LMDE labels updates as "unstable" that Debian considers stable does mean that the update process for LMDE works differently than for Debian. It's just not "exactly the same" as in Debian, as you assert. LMDE has added an extra layer of what's considered stable and unstable, within the confines of the packages in Debian's stable repo itself.

[KilUma]

I just started a new post about this topic after searching for "CVE-2016-0728" and finding nothing. If a moderator would move/delete that topic, that'd be great. Thanks!!

It's posted in "Other topics". [http://forums.linuxmint.com/viewtopic.p ... 0#p1121200]

[openmind]

Even though it was not a critical flaw, because it wasn't executed without physical access to the machine

That's not true at all.

... and it needs many minutes to "break" something in any case!

That wouldn't make it less worse per se.

[Zill]

The LMDE updater comes with a set of default settings. In those settings, always displaying security updates is disabled. So in a default configuration, LMDE users do not get all updates at the exact same time as in Debian Stable (i.e. Jessie).

I have to agree with cb474 on this one. While Debian Stable is fixed in the sense that no change in functionality is made for the life of the release, this does not mean that packages are not updated with security patches as and when necessary.

Debian do not update Stable packages (particularly when kernel related) unless they are thoroughly checked and are totally compatible with other packages in the release. As LMDE uses Debian Stable as a base, it is surely sensible to track Debian stable as closely as possible to ensure that LMDE users also get the benefit of closing known security holes.

While it is, of course, possible for knowledgeable users to tweak the LMDE Update Manger preferences to show such security updates, the default is that even the existence of these updates is hidden.

IMHO, this is wrong as security updates provided by Debian should be recommended by LMDE for installation and the Update Manager defaults should be changed accordingly.

[Dr. Octagon]

Even though it was not a critical flaw, because it wasn't executed without physical access to the machine

That's not true at all.

... and it needs many minutes to "break" something in any case!

That wouldn't make it less worse per se.

You are right... I just wanted to show, that this flaw didn't get a "highest risk category" because of these 2 points (and I think the first one is very important not to fall in panic!).

The LMDE updater comes with a set of default settings. In those settings, always displaying security updates is disabled. So in a default configuration, LMDE users do not get all updates at the exact same time as in Debian Stable (i.e. Jessie).

While it is, of course, possible for knowledgeable users to tweak the LMDE Update Manger preferences to show such security updates, the default is that even the existence of these updates is hidden.

IMHO, this is wrong as security updates provided by Debian should be recommended by LMDE for installation and the Update Manager defaults should be changed accordingly.

I agree, too... and by the way: In the users manual (Mint) there is a notice like "just enable category 4 and 5 updates (unhide them), because more often the hiding makes more problems than the still installation"!. THIS isn't right (maybe just for LMDE2!)!! But security updates must be visible all the time.

[killer de bug]

THIS isn't right (maybe just for LMDE2!)!!

Well... This is LMDE section and therefore information posted here refer to LMDE. Not to any other editions.

[Zill]

THIS isn't right (maybe just for LMDE2!)!!

Well... This is LMDE section and therefore information posted here refer to LMDE. Not to any other editions.

It would still be interesting to know the thinking behind hiding standard Debian security updates from LMDE users by default...

[cb474]

THIS isn't right (maybe just for LMDE2!)!!

Well... This is LMDE section and therefore information posted here refer to LMDE. Not to any other editions.

It would still be interesting to know the thinking behind hiding standard Debian security updates from LMDE users by default...

Yes, I'd be interested to know that also. It's hard for me to imagine, as I said above, that they pose significant useability problems.

[cb474]

It looks like the issue how how Mint classifies security updates initially as "unstable" has come up now and again, with respect to regular (Ubuntu based) Mint. Other people also think it doesn't make much sense. See:

http://community.linuxmint.com/idea/view/5074
http://community.linuxmint.com/idea/view/3502

In the second link, someone quotes Clem's explanation of why security updates are treated the way they are, from a 2012 Mint blog post. Basically he says, if you don't know what the security issue is that's being fixed, you should not just willy nilly accept all security updates, when you risk stability to your system. In essence, it seems that the position is to put system stability above all else, even security.

It seems to me if Mint's goal is to be user friendly and if it is going to rank updates, than ranking them only on stability and providing no advice to end users about the severity of a security risk doesn't really make sense. Why in the one case, assume that end users need some help (hence the level rankings) understanding the safety of package updates as far as stability goes? But in the other case, provide no help at all as far as the safety of packages for security goes and assert that it's up to users to figure it out themselves? In other words, why provide guidance to users on issues regarding stability, but not security? Part of being user friendly is not subjecting end users to risks that could screw up their life, which could easily by far more important than breaking a package on their system.

*

Anyway, that aside, I have a question: Am I correct in concluding that non-security updates for LMDE labeled "4" and "5" are updates that Debian itself has already pushed out to Jesse/stable? For example, right now I'm seeing updates to dbus, mesa, xorg-xserver-video-modsetting, base-files, linux-tools, which are labeled "4" or "5." Are those in fact updates that are already in the Jesse repos?

[killer de bug]

Part of being user friendly is not subjecting end users to risks that could screw up their life, which could easily by far more important than breaking a package on their system.

I will not discuss the impact of security fixes provided by the updates. Too much things to say, to analyze, and people always forget that installing an update is potentially creating a new breach.

Here are a few important points:

1) Clem has addressed this question long time ago. It was in 2013. His answer is still valid. http://segfault.linuxmint.com/2013/11/a ... configure/

2) LMDE is expected to be used by users who know what they are doing. They are supposed to know how to configure the Update Manager for their wish. It may even not be used and therefore levels are bypassed (apt/terminal way of life).

3) Linux is about choices and freedom. If you expect all updates to be pushed without you doing your job, maybe it's not the right system.

4) I decided to verify your says. I downloaded Betsy iso. I took this one: http://www.linuxmint.com/edition.php?id=185
I installed it in a VB. This is a new install with a new VB. No left over from a previous install. Brand new.
Just after install here are the default settings (sorry for this pic, I forgot to place the system in English):

Note that security updates are by default shown.

Then I applied the update to install Mint Update 5.0. This is the last version. Look at the default settings:


Security updates are still shown by default.


Therefore, I really think that you are counting angels on a pin head. LMDE users with the last iso, have security updates shown by default. LMDE users have also the choice to display all levels of updates. They are in control of their system.