[GTALUG] Federal agency warns critical Linux vulnerability being actively exploited
D. Hugh Redelmeier
hugh at mimosa.com
Wed Jun 5 10:49:13 EDT 2024
| From: CAREY SCHUG via talk <talk at gtalug.org>
| (n.b. I install updates pretty often, roughly every 25-50 days, as I get
| notices about snaps, and sometimes just closing and opening a program
| fails to update the snap, and the most common is my browser, of which I
| have 5-6 windows open, so if I have to close them all, I might as well
| close everything and check all updates, and reboot just for good
| measure)
I tend to do updates once a week, but not like clockwork. The distro I
use, Fedora, has a firehose of updates.
You can quit Firefox and then start it up with the same Windows. You lose
sessions so you may have to log into web sites again.
| see, they hide info from dummies like me.
My Sunday message included the link
<https://ubuntu.com/security/CVE-2024-1086>
| I found on ubuntu website the fix is
|
| PACKAGE RELEASE STATUS
| linux
| Launchpad, Ubuntu, Debian bionic Released (4.15.0-223.235)
| Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
| focal Released (5.4.0-174.193)
| jammy Released (5.15.0-101.111)
| mantic Released (6.5.0-26.26)
| noble Pending (6.8.0-7.7)
| trusty Not vulnerable (3.11.0-12.19)
| upstream Released (6.8~rc2)
| xenial Released (4.4.0-252.286)
| Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
I don't like this advertising. I think that it is misleading since the
update is available without Ubuntu Pro. (I haven't checked, but it sure
better be.)
| Patches:
| Introduced by
| e0abdadcc6e113ed2e22c85b350074487095875b
| Fixed by f342de4e2f33e0e39165d8639387aa6c19dff660
|
| what am I on?
|
| >lsb_release -a
| No LSB modules are available.
| Distributor ID: Ubuntu
| Description: Ubuntu 22.04.4 LTS
| Release: 22.04
| Codename: jammy
|
|
| how to I reconcile that with:
|
| "jammy Released (5.15.0-101.111)"
|
| those seem like completely different number sequences (it is long enough ago to have gone from 5.15 to 6.5, is it?)
The patch is to the kernel. So you care about the kernel version. Just
check what kernel package you are running.
$ uname -r
or
$ cat /proc/version
will tell you.
Then match it with the numbers in the advisory notice.
(Sorry: in a hurry so I didn't check exactly what you said about
versions.)
More information about the talk
mailing list