[Arm-dev] New kernel?

Mon Feb 27 12:28:06 UTC 2017
Jacco Ligthart <jacco at redsleeve.org>

Hi all,

in the end CVE-2017-6074 was fixed in 4.4.52 and 4.9.13

I also noticed that upstream raspberry repo moved to 4.9. So I did a
build of that for raspberry2 (armv5). First result is, that the current
spec file can be used with 'normal' changes. Just updating the code
blobs and the version number resulted in a booting raspberry2 kernel.
(hmm, now I think of it I tested only on a raspberry 3)

I guess this should be similar for armv7

next test: does it also work for raspberry version 1 :)

Jacco



On 24-02-17 13:08, Fabian Arrotin wrote:
> On 24/02/17 07:46, Fabian Arrotin wrote:
>> On 23/02/17 18:01, Fabian Arrotin wrote:
>>> On 23/02/17 17:46, Jacco Ligthart wrote:
>>>> On 23-02-17 17:16, Fabian Arrotin wrote:
>>>>> On 23/02/17 14:17, Robert Moskowitz wrote:
>>>>>> I see announcement of a new kernel for security updates.
>>>>>>
>>>>>> Any ETA for it here?
>>>>>>
>>>>>> thanks
>>>>>>
>>>>> I'm rebuilding kernel 4.4.50 (both generic and rpi variants) that would
>>>>> fix  cve_2017_6074.
>>>>> I'll let you know when it will be ready for testing and after some
>>>>> feedback, I'll send those to the signing queue so that they can appear
>>>>> on mirror.centos.org
>>>> If I read the changelogs correctly, that CVE is not fixed in version 4.4.50
>>>>
>>>> I think I'll wait for 51 :(
>>>>
>>>> Jacco
>>>>
>>> I had no time to investigate further, but
>>> http://news.softpedia.com/news/linux-kernels-4-9-11-4-4-50-lts-bring-networking-improvements-updated-drivers-513073.shtml
>>> was mentioning DCCP
>>>
>>>
>> So I just had a quick look at this this morning and yes, it seems the
>> dccp patch wasn't included in 4.4.50 but rather in 4.4.51, so have
>> submitted a build for the generic kernel (I'll push it to testing repo
>> when built).
>> For raspberrypi, nothing (yet) rebased (upstream) to 4.4.51, but otoh it
>> seems that they have now switched to newer LTS 4.9.x version.
>>
>> For that CVE, I'd consider just bumping to 4.4.51 , but investigating
>> having a rebase to 4.9.x (also LTS) seems a good option, but that has to
>> be tested too
>>
> And just replying to myself : CONFIG_IP_DCCP isn't set in the default
> bcm2709_defconfig used to build the rpi kernel, so nothing really to fix
> for those kernels.
> But as I built the 4.4.50 kernel for it, you can grab it from
> https://buildlogs.centos.org/centos/7/kernel/armhfp/kernel-rpi2/
>
> Still waiting for the 4.4.51 to finish building before pushing it to
> buildlogs.centos.org too (in kernel-generic repo)