Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: bump kernel to 5.15.23 #397

Merged
merged 1 commit into from
Feb 11, 2022
Merged

chore: bump kernel to 5.15.23 #397

merged 1 commit into from
Feb 11, 2022

Conversation

frezbo
Copy link
Member

@frezbo frezbo commented Feb 11, 2022

Bump kernel to 5.15.23

Fixes CVE-2022-0435, as of
#394 Talos is not affected

Signed-off-by: Noel Georgi git@frezbo.dev

@frezbo
chore: bump kernel to 5.15.23
6019223 
Bump kernel to 5.15.23

Fixes CVE-2022-0435, as of
siderolabs#394 Talos is not affected

Signed-off-by: Noel Georgi <git@frezbo.dev>
@smira
Copy link
Member

smira commented Feb 11, 2022

I guess we need to backport kernel bump to release-0.9 as well. Probably not the #394 to avoid big (breaking?) changes

@frezbo
Copy link
Member Author

frezbo commented Feb 11, 2022

I'm not sure, we probably don't have anything using TIPC in userspace, but safer to update

@frezbo
Copy link
Member Author

frezbo commented Feb 11, 2022

I guess we need to backport kernel bump to release-0.9 as well. Probably not the #394 to avoid big (breaking?) changes

https://www.openwall.com/lists/oss-security/2022/02/10/1 since we don't load it and have KASLR enabled maybe we can skip backporting

@smira
Copy link
Member

smira commented Feb 11, 2022

It's also worth noting that the current CONFIG_FORTIFY_SRC=y is a hard
mitigation to leveraging CVE-2022-0435 for control-flow hijacking, as it
does a bounds check on the size of the offending memcpy and causes a
kernel panic.

I think loading is not relevant, as we have built into the kernel, but on other hand probably yes, it's only panic potentially. But at the same time it might make to bump to address issues.

@smira
Copy link
Member

smira commented Feb 11, 2022

I will create backport for 5.15.23 to release-0.9

@smira
Copy link
Member

smira commented Feb 11, 2022

/m

@talos-bot talos-bot merged commit 6019223 into siderolabs:master Feb 11, 2022
@frezbo frezbo deleted the chore/bump-kernel-5.15.23 branch February 11, 2022 14:27
smira added a commit to smira/talos that referenced this pull request Feb 11, 2022
@smira
feat: update Go to 1.17.7, Linux to 5.15.23
1e9f0ad 
See:

* siderolabs/tools#168
* siderolabs/pkgs#395
* siderolabs/pkgs#397
* siderolabs/extras#37

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
@smira smira mentioned this pull request Feb 11, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smira smira smira approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@frezbo @smira @talos-bot