You are not logged in.
I just read about CVE-2020-14386 [1][2].
It's not listed under https://security.archlinux.org/issues/all.
Are the current Kernels linux 5.8.7.arch1-1 and linux-lts 5.4.63-1 vulnerable to this issue or has the patch by Or Cohen already been backported?
[1] German news article: https://www.golem.de/news/linux-keine-e … 50712.html
[2] Original announcement: https://seclists.org/oss-sec/2020/q3/146
Last edited by schard (2020-09-08 13:41:50)
macro_rules! yolo { { $($tokens:tt)* } => { unsafe { $($tokens)* } }; }
Offline
Doesn't look like the patch has been backported.
https://git.archlinux.org/linux.git/log/?h=v5.8.7-arch1
As a mitigation you can disable user namespaces (set the sysctl kernel.unprivileged_userns_clone to 0)
Last edited by progandy (2020-09-07 13:08:25)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
Mod note: Moving to Kernel Issues.
Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD
Making lemonade from lemons since 2015.
Offline
Fix is queued for 5.8.8 [1] and 5.4.64 [2].
[1] https://git.kernel.org/pub/scm/linux/ke … 041bcb0257
[2] https://git.kernel.org/pub/scm/linux/ke … 969eb2b674
Offline
Doesn't look like the patch has been backported.
https://git.archlinux.org/linux.git/log/?h=v5.8.7-arch1As a mitigation you can disable user namespaces (set the sysctl kernel.unprivileged_userns_clone to 0)
e.g. the linux-hardened kernel.
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
Debian's security tracker says that kernel 5.8.7 in sid is fixed[0] so I think that would also apply to Arch's linux package in [core].
Huh? Where did you get that from? You've already been told it is available upstream as a pending 5.8.8 update, which per definition means if debian has it in 5.8.7 they have manually backported it.
And indeed they did: https://salsa.debian.org/kernel-team/li … 8698bf4f8e
This does not in any way "also apply" to Arch's linux package in [core]. It could, possibly, coincide due to coincidence with an independent backport by Arch's linux package in [core].
It does coincide with an independent backport in the linux-hardened package, which was never vulnerable to begin with due to disabling userns by default.
Last edited by eschwartz (2020-09-07 17:59:13)
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
Yes, sorry eschwartz, I've had a long day and I'm clearly too tired to think straight. Sorry for the noise.
Offline