The patch is important and all users must update

Jan 10, 2018 16:28 GMT  ·  By

The Debian Project released updated Linux kernels for Debian GNU/Linux 9 "Stretch" and Debian GNU/Linux 8 "Jessie" operating system series to patch the Meltdown security vulnerability and other issues.

Last week, Debian GNU/Linux 9 "Stretch" users received the Linux kernel patch to mitigate the Meltdown security vulnerability (CVE-2017-5754) that affects billions of devices by allowing attackers to control unprivileged processes and read the memory from random addresses, including the kernel, as well as other processes running on the unpatched machine. To patch the issue, users had to update the kernel to version 4.9.65-3+deb9u2.

"This specific attack has been named Meltdown and is addressed in the Linux kernel for the Intel x86-64 architecture by a patch set named Kernel Page Table Isolation, enforcing a near complete separation of the kernel and userspace address maps and preventing the attack. This solution might have a performance impact, and can be disabled at boot time by passing `pti=off' to the kernel command line," reads the advisory.

In addition to the Meltdown patch, Debian Project also identified a regression for ancient userspaces that still use the vsyscall interface, such as containers and chroot environments using (e)glibc 2.13 and older versions, including those based on Red Hat Enterprise Linux 6, CentOS 6, and Debian 7 operating system series. However, they said a patch for this regression will be available in a later update, along with patches for Spectre security vulnerability.

15 security vulnerabilities fixed for Debian GNU/Linux 8 "Jessie"

On the other hand, Debian GNU/Linux 8 "Jessie" users received the other day the kernel patch against Meltdown and 14 other security vulnerabilities, including CVE-2017-8824, CVE-2017-15868, CVE-2017-16538, CVE-2017-16939 CVE-2017-17448, CVE-2017-17449, CVE-2017-17450, CVE-2017-17558, CVE-2017-17741, CVE-2017-17805, CVE-2017-17806, CVE-2017-17807 CVE-2017-1000407, and CVE-2017-1000410. They are urged to update to kernel  3.16.51-3+deb8u1.

These issues affect Linux kernel's Bluetooth subsystem, KVM implementation, KEYS subsystem, HMAC implementation, the xt_osf module, the netfilter subsystem, the IPsec (xfrm) implementation, the dvb-usb-lmedm04 media driver, the DCCP implementation, as well as the Bluetooth Network Encapsulation Protocol (BNEP) implementation. Users of either Debian Stretch or Debian Jessie operating system series are urged to update immediately.