[solved] Fighting the "DirtyCOW" on Sid - Can`t get kernel 4.7.8-1

Naik · 2016-10-26 07:24:01

Hello!
As suggested here, I should upgrade my kernel to 4.7.8-1 be on the safe side again but all the

sudo apt update
sudo apt upgrade

didn`t bring the new kernel on my system. Even smxi tells me that 4.7.0-1 would be the latest kernel for my system.
Would be a good idea to compile the latest kernel (4.8.4) from kernel.org?

I think i may messed up the sources.list, so I will place that one below and hope any of you guys/girls here are able to help me.
I`m feeling so insecure by now

# 
# deb cdrom:[Debian GNU/Linux 8 _Jessie_ - Official Snapshot amd64 LIVE/INSTALL Binary 20160706-02:22]/ jessie contrib main non-free

deb http://httpredir.debian.org/debian unstable main non-free contrib
deb-src http://httpredir.debian.org/debian unstable main non-free contrib

deb http://httpredir.debian.org/debian testing main contrib non-free
deb-src http://httpredir.debian.org/debian testing main contrib non-free

#deb http://httpredir.debian.org/ jessie/updates main contrib non-free
#deb-src http://httpredir.debian.org/ jessie/updates main contrib non-free

# jessie-updates, previously known as 'volatile'
deb http://httpredir.debian.org/debian jessie-updates main contrib non-free
#deb-src http://httpredir.debian.org/debian jessie-updates main contrib non-free


deb http://dl.bintray.com/dawidd6/neofetch jessie main

naik --greetz

Last edited by Naik (2016-10-26 10:55:17)

johnraff · 2016-10-26 07:41:50

You have indeed got a very messy-looking sources.list there.

Check here to see what it should look like for a stable Debian system: https://forums.bunsenlabs.org/viewtopic.php?id=1526

Meanwhile, for security upgrades like this, there's no need to install a 4.7 kernel at all.
Debian security release patches for the regular Jessie kernel, and 'sudo apt-get update && sudo apt-get upgrade' is all you need to do to get them.

See here: https://security-tracker.debian.org/tra … -2016-5195
The vulnerable Debian Jessie kernel was 3.16.36-1+deb8u1
and the patched version is 3.16.36-1+deb8u2

Run 'uname -a' to check the version on your system.

Naik · 2016-10-26 09:05:30

Oh, sorry i didn`t point that out but it i intend to follow stretch/sid making this an "unstable" system, which i am totally fine with...
Do you have an example for this too?
something like this maybe?

# /etc/apt/sources.list:

deb http://security.debian.org/ stretch/updates main contrib non-free
deb-src http://security.debian.org/ stretch/updates main contrib non-free

deb http://ftp2.de.debian.org/debian/ stretch main contrib non-free
deb-src http://ftp2.de.debian.org/debian/ stretch main contrib non-free

deb http://ftp2.de.debian.org/debian/ sid main contrib non-free
deb-src http://ftp2.de.debian.org/debian/ sid main contrib non-free

Back to Topic:

Running uname -a shows that there seems to be nothing to worry about for me.

Linux BL-TX 4.7.0-1-amd64 #1 SMP Debian 4.7.8-1 (2016-10-19) x86_64 GNU/Linux

But how could this be, when the kernel itself had not been updated? I feel like I`m missing some essential point here.
(thats why i won`t mark the thread "solved" untill i found out what exactly happend to provide this upgrade and what (packages) had been upgraded at all.)

naik --greetz

Last edited by Naik (2016-10-26 09:31:16)

Head_on_a_Stick · 2016-10-26 09:36:56

Naik wrote:

But how could this be, when the kernel itself had not been updated?

The Debian Security Team pushed the patched kernel version on the same day as the security announcement -- it is highly likely that you had already upgraded your kernel to the fixed version by the time you became aware of the problem.

I was rather slow in making the announcement on these boards, sorry about that...
:8

Naik · 2016-10-26 09:48:27

^^ ok, i get that. but why is the 4.7.0-1 Kernel still shown everywhere?

btw: No need to be sorry! Thanks for doing so anyway!

Head_on_a_Stick · 2016-10-26 09:49:54

Naik wrote:

why is the 4.7.0-1 Kernel still shown everywhere?

That is the Debian package version rather than the full kernel version -- look at `uname -a` instead.

Naik · 2016-10-26 10:54:14

That is the Debian package version rather than the full kernel version [...]

ok, so I guess i just missed the package-update :8
But this problem got fixed by using

${execi 7200 /usr/local/bin/krnl}

instead of ${kernel} in my conkyrc.

/usr/local/bin/krnl:

#!/bin/bash

Kernlong=$(uname -a)
Arch=$(uname -m)

Var=${Kernlong%(*}  # retain the part before the opening bracket
Kern=${Var##*n}  # retain the part after the end of Debian

echo $Kern - $Arch

..just in case somebody is interested.

earlybird wrote:

Just check the security tracker before worrying.

That`s what i did and for the given reasons the kernel-versions didn`t match. Since I`m running Stretch/Sid with almost daily updates, this kind of concerned me.
But I see your point: a little more research on the actual system instead of this internet-thingy could have been of much help. Sorry for that!

naik --greetz

Last edited by Naik (2016-10-26 11:00:52)

dolly · 2016-10-26 16:52:42

Why mix testing and unstable in the source list?

Head_on_a_Stick · 2016-10-26 17:04:34

dolly wrote:

Why mix testing and unstable in the source list?

There is a mandatory 10-14 day delay in package transitions from sid to testing (except for stuff like DirtyCOW which is pushed straight through ASAP) so if a buggy package makes it into testing it will stay broken for a while and it's usually best to pull a fixed version from sid (or experimental).

See https://www.debian.org/doc/manuals/debi … le_literal for more on this

Some users add the stable repositories as well but I don't see the point of that

dolly · 2016-10-26 19:11:45

Thanks for explanation and link Head_on_a_Stick. Guess what! I think I mixunderstood what op wants in post #3! :8

johnraff · 2016-10-27 02:53:29

Anyway, if you're going to be that concerned about security holes, surely you're better off staying on Debian Stable?

Naik · 2016-10-27 11:33:59

johnraff wrote:

Anyway, if you're going to be that concerned about security holes, surely you're better off staying on Debian Stable?

To be honest? I`m not! As could easily suggested this is not a production machine but only for the fun of it.
All security (and money) -related tasks are done on a rock-solid BL 8.5 installation.
I didn`t mean to offend anyone but made a little fun of this too. Anyway I`m happy to have this problem settled and thank you all for your help and patience.

naik --greetz

#1 2016-10-26 07:24:01

[solved] Fighting the "DirtyCOW" on Sid - Can`t get kernel 4.7.8-1

#2 2016-10-26 07:41:50

Re: [solved] Fighting the "DirtyCOW" on Sid - Can`t get kernel 4.7.8-1

#3 2016-10-26 09:05:30

Re: [solved] Fighting the "DirtyCOW" on Sid - Can`t get kernel 4.7.8-1

#4 2016-10-26 09:36:56

Re: [solved] Fighting the "DirtyCOW" on Sid - Can`t get kernel 4.7.8-1

#5 2016-10-26 09:48:27

Re: [solved] Fighting the "DirtyCOW" on Sid - Can`t get kernel 4.7.8-1

#6 2016-10-26 09:49:54

Re: [solved] Fighting the "DirtyCOW" on Sid - Can`t get kernel 4.7.8-1

#7 2016-10-26 10:54:14

Re: [solved] Fighting the "DirtyCOW" on Sid - Can`t get kernel 4.7.8-1

#8 2016-10-26 16:52:42

Re: [solved] Fighting the "DirtyCOW" on Sid - Can`t get kernel 4.7.8-1

#9 2016-10-26 17:04:34

Re: [solved] Fighting the "DirtyCOW" on Sid - Can`t get kernel 4.7.8-1

#10 2016-10-26 19:11:45

Re: [solved] Fighting the "DirtyCOW" on Sid - Can`t get kernel 4.7.8-1

#11 2016-10-27 02:53:29

Re: [solved] Fighting the "DirtyCOW" on Sid - Can`t get kernel 4.7.8-1

#12 2016-10-27 11:33:59

Re: [solved] Fighting the "DirtyCOW" on Sid - Can`t get kernel 4.7.8-1

Board footer