[GTALUG] Federal agency warns critical Linux vulnerability being actively exploited

D. Hugh Redelmeier hugh at mimosa.com
Wed Jun 5 10:49:13 EDT 2024 

| From: CAREY SCHUG via talk <talk at gtalug.org>

| (n.b. I install updates pretty often, roughly every 25-50 days, as I get 
| notices about snaps, and sometimes just closing and opening a program 
| fails to update the snap, and the most common is my browser, of which I 
| have 5-6 windows open, so if I have to close them all, I might as well 
| close everything and check all updates, and reboot just for good 
| measure)

I tend to do updates once a week, but not like clockwork.  The distro I 
use, Fedora, has a firehose of updates.

You can quit Firefox and then start it up with the same Windows.  You lose 
sessions so you may have to log into web sites again.

| see, they hide info from dummies like me.

My Sunday message included the link 
<https://ubuntu.com/security/CVE-2024-1086>

| I found on ubuntu website the fix is 
| 
| PACKAGE	RELEASE	STATUS
| linux
| Launchpad, Ubuntu, Debian	bionic	Released (4.15.0-223.235)
| Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
| focal	Released (5.4.0-174.193)
| jammy	Released (5.15.0-101.111)
| mantic	Released (6.5.0-26.26)
| noble	Pending (6.8.0-7.7)
| trusty	Not vulnerable (3.11.0-12.19)
| upstream	Released (6.8~rc2)
| xenial	Released (4.4.0-252.286)
| Available with Ubuntu Pro or Ubuntu Pro (Infra-only)

I don't like this advertising.  I think that it is misleading since the 
update is available without Ubuntu Pro.  (I haven't checked, but it sure 
better be.)

| Patches:
| Introduced by
| e0abdadcc6e113ed2e22c85b350074487095875b
| Fixed by f342de4e2f33e0e39165d8639387aa6c19dff660
| 
| what am I on?
| 
| >lsb_release -a
| No LSB modules are available.
| Distributor ID:	Ubuntu
| Description:	Ubuntu 22.04.4 LTS
| Release:	22.04
| Codename:	jammy
| 
| 
| how to I reconcile that with:
| 
| "jammy	Released (5.15.0-101.111)"
| 
| those seem like completely different number sequences (it is long enough ago to have gone from 5.15 to 6.5, is it?)

The patch is to the kernel.  So you care about the kernel version.  Just 
check what kernel package you are running.
  $ uname -r
or
  $ cat /proc/version
will tell you.

Then match it with the numbers in the advisory notice.
(Sorry: in a hurry so I didn't check exactly what you said about 
versions.)

More information about the talk mailing list