[GTALUG] Federal agency warns critical Linux vulnerability being actively exploited

[D. Hugh Redelmeier]

| From: Howard Gibson via talk <talk at gtalug.org>

| On Wed, 5 Jun 2024 10:49:13 -0400 (EDT)
| "D. Hugh Redelmeier via talk" <talk at gtalug.org> wrote:
| 
| > I tend to do updates once a week, but not like clockwork.  The distro I 
| > use, Fedora, has a firehose of updates.
| 
| Hugh,
| 
|    I have a cron job that updates my machine every week.  I am okay as 
|    long as I re-install every year or so.  Does this protect me from the 
|    bug?

I assume that you reboot after updates.  The fix is to the kernel and 
updates themselves don't cause the new kernel to run.  That takes a 
reboot.  (There are mechanisms to update a kernel while running but I 
think that they are not normal except in some server environments.)

There is, of course, a gap of up to a week after your distro releases an 
update and you applying that update.  So that's a window of vulnerability.
Of course you were vulnerable before the release too.

Fedora released an update for this particular bug early in February.
I think that big distros with professional staff would have released 
updates at about that time.  debian too, I imagine.

Note: Fedora does not release a new live/installation .iso when a security 
bug is fixed.

Summary:

- the bug isn't important unless you run random stranger's code on your 
  computer.  If you do, the bug would let them escalate their priviledge.

- I imagine the only vulnerable systems at the time of the Ars Technica 
  article were those that were not being regularly updated.  It came out 
  over three months after fixes were released.

- you can look up what your distro says about CVE-2024-1086

- I fear many containerised systems don't get timely updates.  It doesn't 
  seem to be part of that culture.