File: linux-image.NEWS

package info (click to toggle)
linux-latest 105%2Bdeb10u16
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 536 kB
  • sloc: python: 153; makefile: 54
file content (63 lines) | stat: -rw-r--r-- 2,870 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
 
linux-latest (105+deb10u14) buster-security; urgency=high

  * From Linux 4.19.232-1, the Extended Berkeley Packet Fillter (eBPF)
    facility is no longer enabled by default for users without the
    CAP_SYS_ADMIN capability (this normally means only the root user).

    eBPF can be used for speculative execution side-channel attacks, and
    earlier attempts to mitigate this have not completely succeeded.

    This can be overridden by setting the sysctl:

        kernel.unprivileged_bpf_disabled=0

 -- Ben Hutchings <benh@debian.org>  Mon, 07 Mar 2022 22:37:11 +0100

linux-latest (86) unstable; urgency=medium

  * From Linux 4.13.10-1, AppArmor is enabled by default.  This allows
    defining a "profile" for each installed program that can mitigate
    security vulnerabilities in it.  However, an incorrect profile might
    disable some functionality of the program.

    In case you suspect that an AppArmor profile is incorrect, see
    <https://lists.debian.org/debian-devel/2017/11/msg00178.html> and
    consider reporting a bug in the package providing the profile.  The
    profile may be part of the program's package or apparmor-profiles.

 -- Ben Hutchings <ben@decadent.org.uk>  Thu, 30 Nov 2017 20:08:25 +0000

linux-latest (81) unstable; urgency=medium

  * From Linux 4.10, the old 'virtual syscall' interface on 64-bit PCs
    (amd64) is disabled.  This breaks chroot environments and containers
    that use (e)glibc 2.13 and earlier, including those based on Debian 7
    or RHEL/CentOS 6.  To re-enable it, set the kernel parameter:
    vsyscall=emulate

 -- Ben Hutchings <ben@decadent.org.uk>  Fri, 30 Jun 2017 23:50:03 +0100

linux-latest (76) unstable; urgency=medium

  * From Linux 4.8, several changes have been made in the kernel
    configuration to 'harden' the system, i.e. to mitigate security bugs.
    Some changes may cause legitimate applications to fail, and can be
    reverted by run-time configuration:
    - On most architectures, the /dev/mem device can no longer be used to
      access devices that also have a kernel driver.  This breaks dosemu
      and some old user-space graphics drivers.  To allow this, set the
      kernel parameter: iomem=relaxed
    - The kernel log is no longer readable by unprivileged users.  To
      allow this, set the sysctl: kernel.dmesg_restrict=0

 -- Ben Hutchings <ben@decadent.org.uk>  Sat, 29 Oct 2016 02:05:32 +0100

linux-latest (75) unstable; urgency=medium

  * From Linux 4.7, the iptables connection tracking system will no longer
    automatically load helper modules.  If your firewall configuration
    depends on connection tracking helpers, you should explicitly load the
    required modules.  For more information, see
    <https://home.regit.org/netfilter-en/secure-use-of-helpers/>.

 -- Ben Hutchings <ben@decadent.org.uk>  Sat, 29 Oct 2016 01:53:18 +0100