| Nicholas[m] | I'm wondering whether the dirty pipe vulnerability is mitigated by live patch, or do I need a reboot? | 12:08 |
|---|---|---|
| sdeziel | Nicholas[m]: I haven't used live patch but that's something I'd expect the `canonical-livepatch status` output to show, maybe? | 13:01 |
| Nicholas[m] | so what's happening then? when livepatch patches the running kernel does it bump the version number of the kernel -- can you go e.g. 5.4.0 -> 5.4.1 | 15:10 |
| tomreyn | more likely, it will be some kind of appendix. i assume /proc/version will show it, too. | 15:27 |
| sdeziel | Nicholas[m]: AFAIK, the kernel number (5.4.0) never changes during the whole support life. There is a number after it that keeps going up (5.4.0-104 is current ATM). | 15:28 |
| ebarretto | Nicholas[m], no kernel that is supported on livepatch was affected. Only kernels > 5.8 were affected: https://ubuntu.com/security/CVE-2022-0847 | 15:28 |
| ubottu | A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the syste... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847> | 15:28 |
| Nicholas[m] | ebarretto: the HWE kernel is 5.13 - isn't that supported by livepatch? | 15:30 |
| ebarretto | Nicholas[m], only the ones listed here: https://ubuntu.com/security/livepatch/docs/kernels | 15:32 |
| Nicholas[m] | oh dear. so a 20.04 server running HWE 5.13 needs a reboot to be covered from the dirtypipe... 😱 | 15:34 |
| tomreyn | according to this table, 20.04 LTS HWE kernels do not (yet) receive livepatch support at all. | 15:47 |
| tomreyn | (just GA) | 15:47 |
| shalocin[m] | Just switch back to the genetic kernel if you want live patch and get reboots. Servers generally don't need HWE branch because it just sits there in a rack doing its thing. On the other hand, you are more likely to be plugging in some fancy device into your desktop out laptop. | 23:44 |
| shalocin[m] | Or am I wrong? | 23:44 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!