View previous topic :: View next topic |
Author |
Message |
katabami n00b
Joined: 11 Jul 2009 Posts: 40
|
Posted: Sat Sep 03, 2011 4:48 am Post subject: [Solved] When to upgrade kernel to secure home PC? |
|
|
Hi. When should I upgrade the kernel to be secure? My PC is for desktop use and I connect to the internet with DSL. Put differntly, how do you know kernel security information relevant to you?
I watch the Debian security notification page (in addition to glsa; I know glsa excludes kernel.), but that doesn't help much for gentoo or vanilla kernel. It's an old question, and I've been Linux user for more than a decade, but I'm not sure yet. ;)
My rule was to compile the latest stable gentoo source, but some time ago I tried git kernel to bisect, and the former habit is gone.
Thanks beforehand.
Last edited by katabami on Thu Sep 15, 2011 6:05 am; edited 1 time in total |
|
Back to top |
|
|
mp342 Apprentice
Joined: 03 Aug 2010 Posts: 165 Location: France
|
Posted: Sat Sep 03, 2011 9:51 am Post subject: |
|
|
I you use the latest stable gentoo source, there is a new ebuild pushed when there is a security issue. |
|
Back to top |
|
|
katabami n00b
Joined: 11 Jul 2009 Posts: 40
|
Posted: Tue Sep 06, 2011 8:08 am Post subject: |
|
|
Thanks, mp342. One "problem" there is this: suppose 2.6.40-r4 is the latest stable, and 2.6.40-r10 is the latest in the 2.6.40 series. Now comes a security fix. Then the patch is applied upon r10, right? Usually r11 won't be stable so soon, I don't know what makes it testing r10/r11, and hesitant to use it. (It seems this issue has been discussed, but I'm a secular who don't know it at all.)
But that's not much a problem; I even don't know if there're any security issues which affects me, r4, r11, or whichever. I'd like to omit unnecessary kernel compilation, but is it not recommendable in Gentoo? (I know Server users can stick to 2.6.32.)
An introduction to Gentoo newcomers in this point would be good, which'd be also good for a 7-year user like me. ;) |
|
Back to top |
|
|
mp342 Apprentice
Joined: 03 Aug 2010 Posts: 165 Location: France
|
Posted: Tue Sep 06, 2011 8:25 am Post subject: |
|
|
Here is what I have understood about security fix :
When a security bug for a stable ebuild is discovered, a new release of the ebuild is published (I don't know what is the base for this ebuild, last stable release or last release of the series)
This new release is stabilized within few days, I think delay depends of the severity of the security bug.
Have a look to the changelog of the ebuild you use for your kernel and search for 'security', you'll better understand.
Regards. |
|
Back to top |
|
|
katabami n00b
Joined: 11 Jul 2009 Posts: 40
|
Posted: Mon Sep 12, 2011 11:15 pm Post subject: |
|
|
I didn't know that. Thanks.
But there's one thing I don't understand: Debian has released kernel security fix 4 times this year so far[1], but gentoo-sources ChangeLog doesn't have the word "security" that often. I don't know Debian and I do think this comparison is naive, but can anyone resolve my question?
[1] http://www.debian.org/security/2011/
Regards. |
|
Back to top |
|
|
mp342 Apprentice
Joined: 03 Aug 2010 Posts: 165 Location: France
|
Posted: Tue Sep 13, 2011 6:21 am Post subject: |
|
|
If debian policy haven't changed since I used it, debian use a specific version of the kernel for each stable release. When a security issue is found, they backport the fix to stable version.
With gentoo, the stable kernel version move continuously, it could explain why there are fewer security fix.
I'm not an expert in gentoo security, if someone have a better explanation. |
|
Back to top |
|
|
krinn Watchman
Joined: 02 May 2003 Posts: 7470
|
Posted: Tue Sep 13, 2011 9:38 am Post subject: |
|
|
security fix push version to stable.
so if you run a stable kernel X-r1 and the unstable is X-r10 the security fix will stabilize the X-r11 (for critical issue and it will be the -r10 one + the version bump for the fix) and then stable & unstable could be the same for a moment.
and you have less security fix vs debian because they stick to a kernel version and so need to publish far more security fix to backport them as generally a security issue found in a kernel version also affect previous versions
And it's really a non-issue for a desktop system, because from an attacker point of view, it's a weak machine as it could be kept offline a long time, reboot when the user feel the need.
Most kernel big flaw are privilege excalation (the goal is to be root to get your computer under control), this imply an access to it, and desktop computer have limited access by nature, they also have weak ressources (slower or limited by volume bandwith on enterprise) or just slower because poor users never really get high bandwith from isp.
Additionally using high cpu or bandwith ressource from that kind of computer will be easy detected by the user -> "Why the hell i have that high ping in quakewars !"
As you see, no need to worry that much. |
|
Back to top |
|
|
katabami n00b
Joined: 11 Jul 2009 Posts: 40
|
|
Back to top |
|
|
cach0rr0 Bodhisattva
Joined: 13 Nov 2008 Posts: 4123 Location: Houston, Republic of Texas
|
Posted: Tue Sep 20, 2011 5:25 am Post subject: |
|
|
i generally keep an eye on what the grsecurity/PaX people do
they're often the first people to find a security flaw with the latest kernel
so whenever they publish a fix, i keep an eye out, cross reference, update my kernel whenever the "official" devs have ported their own inferior fix into mainline.
it's imperfect, but at least following grsecurity/PaX, you know of new bugs that exist fairly quickly. Cross-referencing their fixes to determine when a fix has reached mainline is a very unscientific process. _________________ Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
Back to top |
|
|
|