-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 25/01/16 17:29, Fabian Arrotin wrote: > Hi, > > With the recent CVE-2016-0728, I was quickly having a look at > updating the different kernels we ship through the official > images. Actually we only have two kernels : - what I'd call the > "generic" one (that can be used on multiple boards directly, and > following the Fedora upstream kernel) - the raspberrypi2 variant > (built from sources located at > https://github.com/raspberrypi/linux) > > I've built (and tested locally those myself) the following updated > kernels (including patches for CVE-2016-0728) : - > kernel-4.3.3-200.el7.armv7hl.rpm (updating > kernel-4.2.3-200.el7.armv7hl.rpm) - > raspberrypi2-kernel-4.1.16-v7+.1.20160125gitab2b2e0.el7.armv7hl.rpm > > (for rpi2, obviously, updating > raspberrypi2-kernel-4.1.11-v7+.1.20151021git4047fe2.el7.armv7hl.rpm) > > One important thing is that actually we still lack an automatic > update process, something I'd like to work (with you ?) in the > following days/weeks. But you can already test the updated/unsigned > kernels (feedback wanted !) > > - create the /etc/yum.repos.d/ .repo file pointing to > corresponding repo, depending on your board : - > http://dev.centos.org/centos/7/kernel/armhfp/kernel-generic/ - > http://dev.centos.org/centos/7/kernel/armhfp/kernel-rpi2/ as an > example, here is how it would look like : > > [kernel-generic] name=armhfp kernel generic > baseurl=http://dev.centos.org/centos/7/kernel/armhfp/kernel-generic/ > > gpgcheck=0 > enabled=1 > > or > > [kernel-rpi2] name=armhfp rpi2 kernel > baseurl=http://dev.centos.org/centos/7/kernel/armhfp/kernel-rpi2/ > gpgcheck=0 enabled=1 > > - now "yum clean all ; yum update" > > - as the current call to "/bin/kernel-install add" (from systemd > shipped with CentOS 7) doesn't cover - in the whole chain- armhfp, > one then needs to build the initramfs + modify boot config > > rpi2 : - dracut > /boot/initramfs-4.1.16-v7+.1.20160125gitab2b2e0.el7.img > 4.1.16-v7+.1.20160125gitab2b2e0.el7 - systemctl reboot > > generic : - dracut /boot/initramfs-4.3.3-200.el7.armv7hl.img > 4.3.3-200.el7.armv7hl - edit /boot/extlinux.conf to modify the > kernel/initrd - systemctl reboot > > Thanks for the testers, and after we can edit the wiki page, and > start working on a script that would automate all that. > > Cheers, Just wondering if someone had time to check/test this ? - -- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlazACoACgkQnVkHo1a+xU43qACggqvgfMki1K/MEEuvigl87NhR RZkAniA03+WN1qj8TIqc9nK/SiT3lJtV =PyEl -----END PGP SIGNATURE-----