Happy Linux update your kernel and reboot day!

@warthog9

TFW Debian Stable doesn't have a fixed kernel package yet.

I'm sure they're working on it, but why the hell was Literally Freaking Debian not advised ahead-of-time about this major vulnerability?

@argv_minus_one I was just commenting something similar that the advisory seems to be wackadoodle in another venue. I'd argue this not having a broader security push before the public release happened, is a pretty serious failure on someone's part.

I'm back-tracking if ELs are even at risk, because I can't find the module but I haven't confirmed if it's just compiled in and not a module now 😕 (I've seen notes they are, I just want to confirm before I just table flip and move to elrepo's mainline kernels to get around this)

@argv_minus_one nevermind, I need to go remind myself why I don't drink:

root@erebor:/var/log# modinfo algif_aead
name:           algif_aead
filename:       (builtin)
description:    AEAD kernel crypto API user space interface
author:         Stephan Mueller <smueller@chronox.de>
license:        GPL
file:           crypto/algif_aead
root@erebor:/var/log#

@warthog9 that bad?

@ehashman pretty bad, and disclosure looks like it sucked so we aren't far from calling it a 0-day

@warthog9

The kernel compile option that introduces the vulnerability seems to be either CONFIG_CRYPTO_USER_API_AEAD or CONFIG_CRYPTO_AEAD. I think. I dunno. Details are sketchy.

@argv_minus_one @warthog9 The CONFIG_CRYPTO_USER_API_AEAD option selects whether the afalg_aead module is built. It's not enabled on my systems (I guess I deemed it unnecessary).

@warthog9 @argv_minus_one

I’d argue this not having a broader security push before the public release happened, is a pretty serious failure on someone’s part.

And who is that “someone”? We fix bugs like this in the kernel on a daily basis. If people have not learned to constantly upgrade to stay ahead of this, then why even assign these 10 CVEs a day in the first place? :)

@warthog9 @argv_minus_one Heck, this was even one of the very few CVE entries that we actually scored, giving it a 7.8 on the CVSS scale. We rarely score these things, but when we do, perhaps people should actually pay attention?

Makes me wonder why we even do this sometimes...

{sigh}

@gregkh @argv_minus_one won't disagree in the slightest on that front, and I'm not laying my grumbles at the kernel communities feet here. The kernel security team did it's job, there's a fix, no issue there.

Where I'm grumbling is it looks like the public disclosure happened before the distros were aware, and in such a way that there was even a chance at a fix out for people to actually update to. While I would love to have folks be able to go, compile their own kernel and get to mainline to pick up the fix, the reality in a lot of deployments means you can't, even in some of the deployments I've got to handle these days we can't just because of other driver mess issues (that's a whole different can of worms worthy of much void screaming, but I'm not going to do that here right now).

Debian and Ubuntu look like they have a minor up side they left the code as modules, reject loading the modules and you can steer clear of this right now. EL / Fedora, look like they picked the option to compile it straight in and are kinda up a creek right now. Fedora will likely be sorted quite shortly, but that's because they track mainline a lot closer. EL, only good option there is to flip to elrepo and go mainline there assuming you don't have other messes to deal with.

Mostly the grumble is laid at the feet of the finder wanting to publicize it seemingly as quickly as they did, some of the distros for dragging their feet and/or ignoring these things the way they tend to, and for at least not vaguely giving the distros a chance to go "ohhh poop", and have fixes in place once it was public (again that's more laid back at the publicized situation vs. not).

Right now there's a lot of scramble for a bunch of folks, and not a lot of ways to get to a fix, and that's where I'm grumbling from (though I haven't had enough coffee / tea yet this morning to go find how far that's moved overnight, so bear with me if they've all miraculously pulled a fast one and everyone has a fix out for everyone)

@argv_minus_one @jeroen @warthog9 How is this "too low", did the CVSS attributes get written wrong here? If so, please let us know and we will be glad to fix and update the record.

@warthog9 @argv_minus_one There should be fixes out for "everyone", that is what I got working yesterday morning.

And yes, this is on the reporter, there's nothing the kernel security team, or kernel CNA can do differently here, sorry.