Hello,
On 10 Apr 2021, at 13:52, Peter Müller peter.mueller@ipfire.org wrote:
Hello Arne,
thank you for this patch.
Skimming through it, I stumbled across one small oddity - please see below.
Looking at https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.230, I regret to notice Linux 4.14.230 has been released meanwhile, fixing CVE-2021-29154 - for x86_64 only. (Once more, we see 32bit architectures dying away...)
Do we consider CVE-2021-29154 critical enough to undergo an update to 4.14.230 in Core Update 157?
Sorry to phrase this in really strong words, but no.
There is *always* another kernel release. Any yes, they fix bugs in them. Many, but often generally quite unimportant ones. There is always a corner case when you have a 16PB volume and you write a lot of data on it, that ext4 might lose a byte or something similar. Those bugs do not affect us and we should not assume that most of them would.
If we would treat every bug as a critical one, we would never get a release out. We simply would be busy watching the builders compile one kernel after the other and never have a chance to even boot them and let them run for longer than a day before the next release is out there. We need to draw lines on things.
I agree that that isn’t easy and there will always be something that could be used to form an argument for another update. But this makes testing an absolute waste of time.
If we now take .229 and test it for a while, we would have to start again from zero with .230 and so on. I do not see why that is a price worth paying for a corner-case bug that does not affect anyone.
Ultimately I would like to rebase IPFire on a more recent kernel than 4.14 and keeping ourselves busy with updating 4.14 once another time is moving that further and further away.
Regarding CVE-2021-29154: This can be used to gain privileges as an unprivileged user. We do not have any unprivileged users running unkwown software on the system. If that is a concern, we could still disable BPF entirely.
Best, -Michael
Anyway:
Reviewed-by: Peter Müller peter.mueller@ipfire.org
Thanks, and best regards, Peter Müller
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
config/kernel/kernel.config.aarch64-ipfire | 3 +-- config/kernel/kernel.config.armv5tel-ipfire-multi | 3 +-- config/kernel/kernel.config.i586-ipfire | 3 +-- config/kernel/kernel.config.x86_64-ipfire | 3 +-- lfs/linux | 8 ++++---- 5 files changed, 8 insertions(+), 12 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index b794cbcf2..9e8563cbd 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 4.14.206-ipfire Kernel Configuration +# Linux/arm64 4.14.229 Kernel Configuration
Just a very minor comment: Is this intentional?
# CONFIG_ARM64=y CONFIG_64BIT=y @@ -5050,7 +5050,6 @@ CONFIG_USB_LCD=m CONFIG_USB_FTDI_ELAN=m # CONFIG_USB_APPLEDISPLAY is not set CONFIG_USB_SISUSBVGA=m -CONFIG_USB_SISUSBVGA_CON=y # CONFIG_USB_LD is not set # CONFIG_USB_TRANCEVIBRATOR is not set CONFIG_USB_IOWARRIOR=m diff --git a/config/kernel/kernel.config.armv5tel-ipfire-multi b/config/kernel/kernel.config.armv5tel-ipfire-multi index 3c26a3ce2..c40eb9f55 100644 --- a/config/kernel/kernel.config.armv5tel-ipfire-multi +++ b/config/kernel/kernel.config.armv5tel-ipfire-multi @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm 4.14.206-ipfire-multi Kernel Configuration +# Linux/arm 4.14.229-ipfire-multi Kernel Configuration # CONFIG_ARM=y CONFIG_ARM_HAS_SG_CHAIN=y @@ -5457,7 +5457,6 @@ CONFIG_USB_LCD=m CONFIG_USB_FTDI_ELAN=m # CONFIG_USB_APPLEDISPLAY is not set CONFIG_USB_SISUSBVGA=m -CONFIG_USB_SISUSBVGA_CON=y # CONFIG_USB_LD is not set # CONFIG_USB_TRANCEVIBRATOR is not set CONFIG_USB_IOWARRIOR=m diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire index 8cac7cd45..448b8a84b 100644 --- a/config/kernel/kernel.config.i586-ipfire +++ b/config/kernel/kernel.config.i586-ipfire @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.14.206-ipfire Kernel Configuration +# Linux/x86 4.14.229 Kernel Configuration # # CONFIG_64BIT is not set CONFIG_X86_32=y @@ -5179,7 +5179,6 @@ CONFIG_USB_LCD=m CONFIG_USB_FTDI_ELAN=m # CONFIG_USB_APPLEDISPLAY is not set CONFIG_USB_SISUSBVGA=m -CONFIG_USB_SISUSBVGA_CON=y # CONFIG_USB_LD is not set # CONFIG_USB_TRANCEVIBRATOR is not set CONFIG_USB_IOWARRIOR=m diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 4dec50605..65c365c1b 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.14.206-ipfire Kernel Configuration +# Linux/x86 4.14.229 Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -5021,7 +5021,6 @@ CONFIG_USB_LCD=m CONFIG_USB_FTDI_ELAN=m # CONFIG_USB_APPLEDISPLAY is not set CONFIG_USB_SISUSBVGA=m -CONFIG_USB_SISUSBVGA_CON=y # CONFIG_USB_LD is not set # CONFIG_USB_TRANCEVIBRATOR is not set CONFIG_USB_IOWARRIOR=m diff --git a/lfs/linux b/lfs/linux index 5abc6f93a..86acc14f7 100644 --- a/lfs/linux +++ b/lfs/linux @@ -24,8 +24,8 @@
include Config
-VER = 4.14.212 -ARM_PATCHES = 4.14.212-ipfire0 +VER = 4.14.229 +ARM_PATCHES = 4.14.229-ipfire0
THISAPP = linux-$(VER) DL_FILE = linux-$(VER).tar.xz @@ -79,8 +79,8 @@ objects =$(DL_FILE) \ $(DL_FILE) = $(URL_IPFIRE)/$(DL_FILE) arm-multi-patches-$(ARM_PATCHES).patch.xz = $(URL_IPFIRE)/arm-multi-patches-$(ARM_PATCHES).patch.xz
-$(DL_FILE)_MD5 = 645d5256adf72569e14edcf80c3757dc -arm-multi-patches-$(ARM_PATCHES).patch.xz_MD5 = 2b0e8e3ebe9827b2bfed7397b043dbc5 +$(DL_FILE)_MD5 = 9d4cf6e9ffff893d8a2ecea6a8c5a15b +arm-multi-patches-$(ARM_PATCHES).patch.xz_MD5 = a04b842733999abb818cabb0388572b8
install : $(TARGET)