A heads up. Spotted in my news feed. Applicable to many Linux distros.
IPFire needs to go to kernel 5.15.25 to include fix.
1 Like
Thanks for the heads up. This was flagged up by one of the devs in the monthly conf call yesterday.
https://wiki.ipfire.org/devel/telco/2022-03-07
Replacing the kernel in CU 164 at this late stage is unlikely to occur due to the unavailability of the IPFire kernel guru at this point in time.
However the patch fix for the bug is quite simple and so it is being looked at to add this as a last minute fix to CU164
https://lore.kernel.org/lkml/20220221100313.1504449-1-max.kellermann@ionos.com/
Bear in mind that to execute the bug you need access to IPFire so the hacker would need to have the root password or potentially the admin password and access to IPFire via the Console or potentially the WUI.
5 Likes
This is now patched and scheduled for c164:
git.ipfire.org Git - ipfire-2.x.git/commitdiff
Unfortunately our ARM builders are down, so we might need an extra day for a release.
3 Likes
The file corruption issue caused by the bug is probably more important than the security implication as you say.
Keep up the good work!
2 Likes