Hi all,
in the end CVE-2017-6074 was fixed in 4.4.52 and 4.9.13
I also noticed that upstream raspberry repo moved to 4.9. So I did a build of that for raspberry2 (armv5). First result is, that the current spec file can be used with 'normal' changes. Just updating the code blobs and the version number resulted in a booting raspberry2 kernel. (hmm, now I think of it I tested only on a raspberry 3)
I guess this should be similar for armv7
next test: does it also work for raspberry version 1 :)
Jacco
On 24-02-17 13:08, Fabian Arrotin wrote:
On 24/02/17 07:46, Fabian Arrotin wrote:
On 23/02/17 18:01, Fabian Arrotin wrote:
On 23/02/17 17:46, Jacco Ligthart wrote:
On 23-02-17 17:16, Fabian Arrotin wrote:
On 23/02/17 14:17, Robert Moskowitz wrote:
I see announcement of a new kernel for security updates.
Any ETA for it here?
thanks
I'm rebuilding kernel 4.4.50 (both generic and rpi variants) that would fix cve_2017_6074. I'll let you know when it will be ready for testing and after some feedback, I'll send those to the signing queue so that they can appear on mirror.centos.org
If I read the changelogs correctly, that CVE is not fixed in version 4.4.50
I think I'll wait for 51 :(
Jacco
I had no time to investigate further, but http://news.softpedia.com/news/linux-kernels-4-9-11-4-4-50-lts-bring-network... was mentioning DCCP
So I just had a quick look at this this morning and yes, it seems the dccp patch wasn't included in 4.4.50 but rather in 4.4.51, so have submitted a build for the generic kernel (I'll push it to testing repo when built). For raspberrypi, nothing (yet) rebased (upstream) to 4.4.51, but otoh it seems that they have now switched to newer LTS 4.9.x version.
For that CVE, I'd consider just bumping to 4.4.51 , but investigating having a rebase to 4.9.x (also LTS) seems a good option, but that has to be tested too
And just replying to myself : CONFIG_IP_DCCP isn't set in the default bcm2709_defconfig used to build the rpi kernel, so nothing really to fix for those kernels. But as I built the 4.4.50 kernel for it, you can grab it from https://buildlogs.centos.org/centos/7/kernel/armhfp/kernel-rpi2/
Still waiting for the 4.4.51 to finish building before pushing it to buildlogs.centos.org too (in kernel-generic repo)