From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: 3.14 kernel and LTS kernels Date: Mon, 08 Jan 2018 10:20:19 +0000 Message-ID: <1515406819.3685.74.camel@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0257523323028921226==" List-Id: --===============0257523323028921226== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Jeffrey, thanks for getting in touch. So far, IPFire is based on the 3.14 kernel. It is heavily patched in IPFire w= ith grsecurity and a variety of other patches, so although it is EOL upstream, we still maintain this kernel. However, this is not a very good state for us because we want all the improvements and benefit from the hard work that the kernel community puts in= to new releases and not put extra work into it. But rebasing the distribution on= a new kernel is hard work. Arne has been working on that for several months now and kernels for x86_64 and i586 are already available here: https://people.ipfire.org/~arne_f/highly-experimental/kernel/ I have been running those kernels for several months now on some of my own systems and other people have been testing them well and they are very solid = and almost ready for release. However, the ARM kernels are causing us a bit of a headache at the moment and have been delaying the entire release process of this kernel. Arne is still on it. Certainly this kernel will arrive in Q1. If you want to, you can already download the archives there, extract them onto your system, run "update-bootloader" and reboot into the new kernel. https://bugzilla.ipfire.org/showdependencytree.cgi?id=3D11548 There is only minor issues left. Please send us your feedback. I will also issue a statement on the latest CPU bugs affecting Intel and other vendors hopefully later today. Since the firewall is not running any untrusted code (e.g. JS in a web browser), this is not so easily exploitable as it is on other systems. Any remote code execution vulnerability in any software running on IPFire will of course allow an attacker to take advantage of this bug as well, so that means we cannot wait for forever to patch this. The 4.14.11 and later kernels from Arne's directory are patched against Meltd= own and Spectre. Best, -Michael On Mon, 2018-01-08 at 04:39 -0500, Jeffrey Walton wrote: > Hi Everyone, >=20 > I noticed IPfire 117 uses the 3.14 kernel: >=20 > # uname -r > 3.14.79-ipfire-pae >=20 > I believe that was EOL about a year ago. It is not going to get the > patches for the cpu bugs; and it has not gotten patches for many other > vulnerabilities. Also see > http://kroah.com/log/blog/2018/01/06/meltdown-status/ . >=20 > Are there plans to move to a 4.x kernel or other LTS kernel? >=20 > Thanks in advance, >=20 > Jeffrey Walton --===============0257523323028921226== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl Mnlwa3R4Z0hudy8yK1FDUWNGQWxwVFJlTUFDZ2tRZ0hudy8yK1EKQ1FmR3RBLytOeVBYNzhDclN4 emtmeFpGbmhoc3AwOHB4cGFKK3JvWGJrOEY4bE1zK2FFYlpPRThzdEk5Q2JJSgpHajdpdlFLRHFy R29KQmE2aS9LbHBMSkwwODE0ckxFVWFuZDBiVS9wTEw2QWE2R3VzU0JXM2FMTjZXSEFtU0xPCkd3 WlA1S3o2UHhlOC9NS256U0p5ZnJYaTB3VTRza09mNDZLVHpmM2dBQURiVFBOem5pZFo1cjVoYXhM YmJ1U1gKa2dwaUJscFFmY1pwamFHcElDNHl6bmM3a2VKM294a29VcUVDRytwSUpkMkZ2aHc5N0t0 RUNLVlNxSW9EL24vSwpiYXNWSUtHczNrRXFkNnViSXVJbE4xZ1RvZHlHU1BxcjlodTV3NzdYQ2Qx enlRd3RleXM3dkVZZ0xtUzByQ2R3CmRlc3duV2RObHV6dzBGRUxSSERhVGNkVVBQY0c0YWhZQXlB bmsxazlUcW9WdGw4bXozUXZiemt3QjhTcjdoamUKYmN6WFIwVjBqaGFPTHZyRGZ3WmhMd1ErZzYx QTVtdDQ2ZUxVMkhjYmNiMkRLa2ozdUpJODdGYlRIYlZCRU5VVwphSWl4U0xYZXNzVHg3b2dhVUNv WnpETjh3VmFjQmFnL253VmdPZUk0d3kxOFZNQSsrUUR3KzJ4WTEwdDB0QWFnCm1lUmJBV2RoYXdr N2YxQVJBb3MxdWh6cmhhbFFoenNIQlZmTUJmWEFFL2tDY1p5QitWMHFacTBkUFNHQldFNVEKS1Qr UE83T0JiN3J3dlZKR3Vpd3hZR2pUNW9PdjR0ZGxNUnlIcW51ZUE0YWFEdWhGaGRHMlBSWklneXpW MjVyegpkVDdrVk5xbE1hR3ROaDJzVVIyWC9VQkVnR01adTd5ZnhhODIxTkt1Qnprb0hzV3VEeEU9 Cj1ZK2hhCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============0257523323028921226==--