View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000845 | channel: elrepo/el7 | kmod-usbip | public | 2018-05-01 12:27 | 2018-05-02 14:04 |
| Reporter | choman | Assigned To | pperry | ||
| Priority | normal | Severity | major | Reproducibility | N/A |
| Status | assigned | Resolution | open | ||
| Summary | 0000845: usbip vulerabilities | ||||
| Description | I'm looking to use the usbip package (testing) but there are some CVEs that are not there. it looks like (based on the change log) that the usbip packages were backported from the 3.18.83 kernel It also looks like according to https://github.com/nluedtke/linux_kernel_cves/blob/master/3.18/3.18_CVEs.txt That the following CVEs were patched in the 3.18 kernel. CVE-2017-16911: Fixed with 3.18.95 CVE-2017-16912: Fixed with 3.18.95 CVE-2017-16913: Fixed with 3.18.95 CVE-2017-16914: Fixed with 3.18.89 Is it possible to get these updates patched into the usbip packages | ||||
| Tags | No tags attached. | ||||
| Reported upstream | |||||
|
|
I've updated the usbip packages, backporting fixes from the latest 3.18.107 kernel which contains the fixes you mention above. Updated packages have been released to the testing repository and should show up on the mirrors shortly: kmod-usbip-1.0.1-2.el7_5.elrepo.x86_64.rpm usbip-utils-1.0.1-2.el7.elrepo.x86_64.rpm Please note that kmod-usbip-1.0.1-2.el7_5.elrepo.x86_64.rpm requires the el7.5 kernel and is not backward compatible with earlier kernels due to retpoline fixes for the Spectre vulnerability. Please test and report if these packages work as expected, at which point I will promote them to the main elrepo repository. Thanks for the report. |
|
|
I assume el7.5 is CentOS 7.5 kernel. Is there a pointer to upgrade instructions I can follow? In the meantime, I looked into the latest CentOS7.4 kernel. and I saw this in the changelogs. So is this good enough? # uname -r 3.10.0-693.21.1.el7.x86_64 # rpm -q --changelog kernel-$(uname -r) | grep -i cve | grep retpo - [x86] entry: Use retpoline for syscall's indirect calls (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715} |
|
|
In CentOS, to update to the 7.5 packages (including the kernel), you need to enable the CR repo. yum --enablerepo=cr update kernel will update the kernel. |
|
|
Awesome thanks. Last Q. that older usbip modules were preinstalled. and I did a yum update to get them upgraded. Can I safely assume the new kernel will pick up on them. or should I reload the modules into the kernel Thanks |
|
|
Best to reboot the system if you can. Otherwise, unload the modules with modprobe -r and then reload them with modprobe. The new modules will only work with the new kernel - they are not backward compatible with older kernels. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2018-05-01 12:27 | choman | New Issue | |
| 2018-05-01 12:27 | choman | Status | new => assigned |
| 2018-05-01 12:27 | choman | Assigned To | => stindall |
| 2018-05-01 13:09 | burakkucat | Assigned To | stindall => pperry |
| 2018-05-01 13:09 | burakkucat | Category | --elrepo--OTHER-- => kmod-usbip |
| 2018-05-01 14:42 | pperry | Note Added: 0005806 | |
| 2018-05-02 12:27 | choman | Note Added: 0005811 | |
| 2018-05-02 12:47 | toracat | Note Added: 0005812 | |
| 2018-05-02 13:27 | choman | Note Added: 0005815 | |
| 2018-05-02 14:04 | pperry | Note Added: 0005818 |
