Discussion:
Bookworm and its kernel: any updates coming?
(too old to reply)
Tom Browder
2024-06-03 13:50:01 UTC
Permalink
I keep getting emails concerning the serious kernel vulnerability in
kernels 5.14 through 6.6.

I have not seen any updates and uname -a shows: 6.1.0-13-amd64

Anyone concerned?

-Tom
Michael Kjörling
2024-06-03 14:20:01 UTC
Permalink
Post by Tom Browder
I keep getting emails concerning the serious kernel vulnerability in
kernels 5.14 through 6.6.
I have not seen any updates and uname -a shows: 6.1.0-13-amd64
Something's broken on your end.

Bookworm is currently at ABI 6.1.0-21 / kernel 6.1.90-1 since May 6
[1]. Bookworm Backports seems to have a 6.7.12 kernel.

https://packages.debian.org/bookworm/linux-image-amd64

https://tracker.debian.org/news/1527641/accepted-linux-signed-amd64-61901-source-into-stable-security/

IIRC (but without having checked) 6.1.0-13 was around the kernel data
corruption bug incident. Check your apt pins to ensure that you're not
blocking too much.
--
Michael Kjörling 🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”
Tom Browder
2024-06-03 15:00:01 UTC
Permalink
On Mon, Jun 3, 2024 at 09:15 Michael Kjörling <***@ewoof.net>
wrote:
...
Post by Michael Kjörling
Post by Tom Browder
I have not seen any updates and uname -a shows: 6.1.0-13-amd64
...
Post by Michael Kjörling
Something's broken on your end.
...

Check your apt pins to ensure that you're not
Post by Michael Kjörling
blocking too much.
Thanks, Michael.

My system is a remote host, and I'm in the process of a reinstall on one.

If I correctly read the links you sent, the latest kernel has that CVE
covered.

But another remote host seems to have the same problem. Each host comes
from a different provider and had slightly different default pinnings in
'/etc/apt/sources.list'.

I'll double-check my pinnings.

-Tom
Michael Kjörling
2024-06-03 16:20:01 UTC
Permalink
Post by Tom Browder
But another remote host seems to have the same problem. Each host comes
from a different provider and had slightly different default pinnings in
'/etc/apt/sources.list'.
I'll double-check my pinnings.
Try: apt-cache policy linux-image-amd64

Here's the output of that from my system, only slightly anonymized,
Post by Tom Browder
Installed: 6.1.90-1
Candidate: 6.1.90-1
*** 6.1.90-1 500
500 http://security.debian.org bookworm-security/main amd64 Packages
100 /var/lib/dpkg/status
6.1.76-1 500
500 https://mirror.debian.example/debian bookworm/main amd64 Packages
6.1.67-1 500
500 https://mirror.debian.example/debian bookworm-updates/main amd64 Packages
I also double-checked, and 6.1.0-13 is indeed the ABI version
immediately preceding the kernel bugs incident. The kernels affected
by that in mainline Debian were 6.1.0-14/6.1.64* and 6.1.0-15/6.1.66*;
the latter by unrelated bug #1057967 which may or may not affect you.
This further reinforces my belief that the problem is likely to be an
errant apt pin meant to exclude those kernels from being installed
accidentally, and which ended up matching too much. (The other obvious
possibility would be that the mirror you're using stopped updating
around that time, but frankly that seems less likely, especially if
you are seeing the same behavior across two different hosting
providers.)
--
Michael Kjörling 🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”
Tom Browder
2024-06-03 16:30:01 UTC
Permalink
Post by Michael Kjörling
Post by Tom Browder
I keep getting emails concerning the serious kernel vulnerability in
kernels 5.14 through 6.6.
I have not seen any updates and uname -a shows: 6.1.0-13-amd64
Something's broken on your end.
Bookworm is currently at ABI 6.1.0-21 / kernel 6.1.90-1 since May 6
Michael, on one my hosts I discovered both 13 and 21 pkgs are installed. I
did a reboot and I get uname -a = 6.1.0-21-amd4;

I must have missed a msg at some point.

Thanks for your concern and help.

-Tom
Michael Kjörling
2024-06-03 16:40:01 UTC
Permalink
Post by Tom Browder
Thanks for your concern and help.
You're welcome. Glad you got it sorted.
--
Michael Kjörling 🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”
e***@gmx.us
2024-06-03 18:20:01 UTC
Permalink
Post by Tom Browder
I keep getting emails concerning the serious kernel vulnerability in
kernels 5.14 through 6.6.
I have not seen any updates and uname -a shows: 6.1.0-13-amd64
I keep getting emails concerning the serious kernel vulnerability in
kernels 5.14 through 6.6.
I have not seen any updates and uname -a shows: 6.1.0-13-amd64
Anyone concerned?
I have the same kernel, and no updates.

***@cerberus:~$ sudo apt-get update
[sudo] password for eben:
Hit:1 http://deb.debian.org/debian bookworm InRelease
Hit:2 http://deb.debian.org/debian bookworm-updates InRelease
Hit:3 http://deb.debian.org/debian bookworm-proposed-updates InRelease
Hit:4 http://deb.debian.org/debian bookworm-backports InRelease
Hit:5 http://deb.debian.org/debian-security bookworm-security InRelease
Hit:6 https://deb.torproject.org/torproject.org bookworm InRelease
Hit:7 https://www.deb-multimedia.org bookworm InRelease
Reading package lists... Done

***@cerberus:~$ apt list --upgradable
Listing... Done

***@cerberus:~$ apt-cache policy linux-image-amd64
linux-image-amd64:
Installed: (none)
Candidate: 6.1.90-1
Version table:
6.7.12-1~bpo12+1 100
100 http://deb.debian.org/debian bookworm-backports/main amd64 Packages
6.1.90-1 500
500 http://deb.debian.org/debian bookworm-proposed-updates/main
amd64 Packages
500 http://deb.debian.org/debian-security bookworm-security/main
amd64 Packages
6.1.76-1 500
500 http://deb.debian.org/debian bookworm/main amd64 Packages
6.1.67-1 500
500 http://deb.debian.org/debian bookworm-updates/main amd64 Packages

What am I doing wrong? Also, I'm not sure how to interpret the apt-cache
output.


--

This message was created using recycled electrons.
Greg Wooledge
2024-06-03 19:10:02 UTC
Permalink
Post by e***@gmx.us
Installed: (none)
Candidate: 6.1.90-1
What am I doing wrong?
You haven't installed the linux-image-amd64 metapackage, which means
you will not be offered new kernel versions automatically. This isn't
technically "wrong", but it's not (or should not be) a common choice.
e***@gmx.us
2024-06-03 21:00:01 UTC
Permalink
Post by Greg Wooledge
Post by e***@gmx.us
Installed: (none)
Candidate: 6.1.90-1
What am I doing wrong?
You haven't installed the linux-image-amd64 metapackage, which means
you will not be offered new kernel versions automatically. This isn't
technically "wrong", but it's not (or should not be) a common choice.
***@cerberus:~$ apt-cache policy linux-image-amd64
linux-image-amd64:
Installed: 6.1.90-1
Candidate: 6.1.90-1

Excellent, thank you.

Also, if you happen to have a bit of a post selected in Tbird when you hit
"Reply List", it starts your reply with just that piece. That's a
reasonable action, I guess, just not what I expected.

--
LEO: Now is not a good time to photocopy your butt and staple it
to your boss' face, oh no. Eat a bucket of tuna-flavored pudding
and wash it down with a gallon of strawberry Quik. -- Weird Al
Timothy M Butterworth
2024-06-04 04:10:01 UTC
Permalink
Post by e***@gmx.us
Post by Tom Browder
I keep getting emails concerning the serious kernel vulnerability in
kernels 5.14 through 6.6.
I have not seen any updates and uname -a shows: 6.1.0-13-amd64
I keep getting emails concerning the serious kernel vulnerability in
kernels 5.14 through 6.6.
I have not seen any updates and uname -a shows: 6.1.0-13-amd64
Anyone concerned?
I have the same kernel, and no updates.
Hit:1 http://deb.debian.org/debian bookworm InRelease
Hit:2 http://deb.debian.org/debian bookworm-updates InRelease
Hit:3 http://deb.debian.org/debian bookworm-proposed-updates InRelease
Hit:4 http://deb.debian.org/debian bookworm-backports InRelease
Hit:5 http://deb.debian.org/debian-security bookworm-security InRelease
Hit:6 https://deb.torproject.org/torproject.org bookworm InRelease
Hit:7 https://www.deb-multimedia.org bookworm InRelease
Reading package lists... Done
Listing... Done
Installed: (none)
Candidate: 6.1.90-1
6.7.12-1~bpo12+1 100
100 http://deb.debian.org/debian bookworm-backports/main amd64 Packages
The above line shows that you have kernel 6.7.12 from Debian Backports
installed. You will not get any new 6.1.x kernel packages because 6.7.12 is
newer and has a priority of 100. To verify your kernel version try
running `uname
-a`. If it doesn't report 6.7.12 then try rebooting.
Post by e***@gmx.us
6.1.90-1 500
500 http://deb.debian.org/debian bookworm-proposed-updates/main
amd64 Packages
500 http://deb.debian.org/debian-security bookworm-security/main
amd64 Packages
6.1.76-1 500
500 http://deb.debian.org/debian bookworm/main amd64 Packages
6.1.67-1 500
500 http://deb.debian.org/debian bookworm-updates/main amd64 Packages
What am I doing wrong? Also, I'm not sure how to interpret the apt-cache
output.
--
This message was created using recycled electrons.
--
⢀⣎⠟⠻⢶⣊⠀
⣟⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/
⠈⠳⣄⠀⠀
Loading...