[GTALUG] Federal agency warns critical Linux vulnerability being actively exploited

Tue Jun 4 11:03:42 EDT 2024

(n.b. I install updates pretty often, roughly every 25-50 days, as I get notices about snaps, and sometimes just closing and opening a program fails to update the snap, and the most common is my browser, of which I have 5-6 windows open, so if I have to close them all, I might as well close everything and check all updates, and reboot just for good measure)

see, they hide info from dummies like me.

I found on ubuntu website the fix is 

PACKAGE	RELEASE	STATUS
linux
Launchpad, Ubuntu, Debian	bionic	Released (4.15.0-223.235)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
focal	Released (5.4.0-174.193)
jammy	Released (5.15.0-101.111)
mantic	Released (6.5.0-26.26)
noble	Pending (6.8.0-7.7)
trusty	Not vulnerable (3.11.0-12.19)
upstream	Released (6.8~rc2)
xenial	Released (4.4.0-252.286)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
Patches:
Introduced by
e0abdadcc6e113ed2e22c85b350074487095875b
Fixed by f342de4e2f33e0e39165d8639387aa6c19dff660

what am I on?

>lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 22.04.4 LTS
Release:	22.04
Codename:	jammy

how to I reconcile that with:

"jammy	Released (5.15.0-101.111)"

those seem like completely different number sequences (it is long enough ago to have gone from 5.15 to 6.5, is it?)

also found this:

$ sudo apt list linux-headers-$(uname -r)
[sudo] password for careyschug: 
Listing... Done
linux-headers-6.5.0-35-generic/jammy-updates,jammy-security,now 6.5.0-35.35~22.04.1 amd64 [installed,automatic]

also seems like a different sequence

<pre>--Carey</pre>

> On 06/04/2024 7:33 AM CDT D. Hugh Redelmeier via talk <talk at gtalug.org> wrote:
> 
>  
> | From: CAREY SCHUG via talk <talk at gtalug.org>
> 
> | Maybe i missed it, but can somebody post the "for dummies" command to 
> | tell if one has the fix installed?
> | 
> | I realize a different command for each package manager, at least: Deb, pacman, rpm, gentoo, others?
> 
> DON'T PANIC.  For a Bad Guy to exploit this bug, they need to be able to 
> run code of their choosing on your machine.  I bet you don't let anyone 
> dangerous log in to your machine.  And I bet you don't run random shell 
> scripts from the internet.
> 
> The bug is pretty old so you are unlikely to have a kernel that 
> predates the bug's introduction.  So you need to have a kernel new enough 
> to have the fix.
> 
> Each distro probably released its own announcement some time after late 
> January 2024.  The bug's name is CVE-2024-1086.  Googling that and your 
> disto's name should get you to any announcement.
> 
> Because distros don't want to let the cat out of the bag prematurely, they 
> may be coy in the description of the update.  The Good Guys want to 
> release fixes before alerting Bad Guys of a vulnerability.
> 
> ---
> Post to this mailing list talk at gtalug.org
> Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk