Hi Everyone,
I noticed IPfire 117 uses the 3.14 kernel:
# uname -r 3.14.79-ipfire-pae
I believe that was EOL about a year ago. It is not going to get the patches for the cpu bugs; and it has not gotten patches for many other vulnerabilities. Also see http://kroah.com/log/blog/2018/01/06/meltdown-status/ .
Are there plans to move to a 4.x kernel or other LTS kernel?
Thanks in advance,
Jeffrey Walton
Hello Jeffrey,
thanks for getting in touch.
So far, IPFire is based on the 3.14 kernel. It is heavily patched in IPFire with grsecurity and a variety of other patches, so although it is EOL upstream, we still maintain this kernel.
However, this is not a very good state for us because we want all the improvements and benefit from the hard work that the kernel community puts into new releases and not put extra work into it. But rebasing the distribution on a new kernel is hard work. Arne has been working on that for several months now and kernels for x86_64 and i586 are already available here:
https://people.ipfire.org/~arne_f/highly-experimental/kernel/
I have been running those kernels for several months now on some of my own systems and other people have been testing them well and they are very solid and almost ready for release.
However, the ARM kernels are causing us a bit of a headache at the moment and have been delaying the entire release process of this kernel. Arne is still on it.
Certainly this kernel will arrive in Q1.
If you want to, you can already download the archives there, extract them onto your system, run "update-bootloader" and reboot into the new kernel.
https://bugzilla.ipfire.org/showdependencytree.cgi?id=11548
There is only minor issues left.
Please send us your feedback.
I will also issue a statement on the latest CPU bugs affecting Intel and other vendors hopefully later today. Since the firewall is not running any untrusted code (e.g. JS in a web browser), this is not so easily exploitable as it is on other systems. Any remote code execution vulnerability in any software running on IPFire will of course allow an attacker to take advantage of this bug as well, so that means we cannot wait for forever to patch this.
The 4.14.11 and later kernels from Arne's directory are patched against Meltdown and Spectre.
Best, -Michael
On Mon, 2018-01-08 at 04:39 -0500, Jeffrey Walton wrote:
Hi Everyone,
I noticed IPfire 117 uses the 3.14 kernel:
# uname -r 3.14.79-ipfire-pae
I believe that was EOL about a year ago. It is not going to get the patches for the cpu bugs; and it has not gotten patches for many other vulnerabilities. Also see http://kroah.com/log/blog/2018/01/06/meltdown-status/ .
Are there plans to move to a 4.x kernel or other LTS kernel?
Thanks in advance,
Jeffrey Walton
-
Jeffrey Walton -
Michael Tremer