Legacy VMs: new kernels for CVE-2014-0196


#1

We have prepared new kernels for the legacy VM platform that have been patched to prevent the privilege escalation bug described in CVE-2014-0196.

Being leery of introducing such things just before the weekend when the level of support available to respond to any problems is lower, these new kernels are not going to be set as default until Monday. However, if you would prefer to gain protection from this bug immediately then you can select the new kernel now.

Depending on the kernel you are currently running, you should select from the following:
Stable-i386.kvm → linux-2.6.32.61-kvm-i386-20110317
Experimental-i386.kvm → linux-3.2.58-kvm-i386-20110111
AppArmor-i386.kvm → linux-2.6.36.4-kvm-i386-20110819cve20140196

Instructions for changing kernels are available here

I’ll post again on Monday when the default kernels have been updated. Also on Monday, we’ll updating the version of qemu used for VMs to fix a couple of recently discovered security issues. More details to follow.


#2

The default kernels for the legacy platform have now been updated to fix CVE-2013-0196. If you are using the Stable, Experimental, or AppArmor kernel there is no need to explicitly change kernel: just halt your VM and it will restart with the updated kernel.

We were also planning to upgrade the version of qemu today, but testing revealed a problem that we’ve not yet been able to fix. In due course, we shall be migrating VMs to allow the host kernels to be upgraded as well as to move to the upgraded version of qemu. Details will be announced here.


#3

If you are using the Stable, Experimental, or AppArmor kernel there is no need to explicitly change kernel: just halt your VM and it will restart with the updated kernel.

I am currently running linux-3.2.0-kvm-i386-20120111. Is the Stable kernel now a 3.2 kernel? If not, is there a 3.2 kernel I should change to?

Is there somewhere I can look to see what kernel versions the Stable, Experimental, or AppArmor kernels are based on?


#4

Hi, Graham.

Sorry it’s taken a while to get back to you on this. Stable is still a 2.6.32 kernel. There’s no easy way at the moment to tell exactly which kernel version the Stable, Experimental etc point to, sorry. However, I have now created links called Linux3.2 and Linux3.4 which obviously point at the current versions of the 3.2 and 3.4 kernels, so Linux3.2 might be a good choice for you.

Also, I’m just about to push out new kernels to fix another local privilege escalation bug, so you might want to wait for that before starting your new kernel.