Page MenuHomePhabricator

Update 3.19 kernel to 3.19.3
Closed, ResolvedPublic

Description

We should update the 3.19 kernel to 3.19.4

Among other changes it provides https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ccfe8c3f7e52ae83155cb038753f4c75b774ca8a which might've been the cause for the aes256gcm crashes in the ipsec setup.

It also fixes other security issues (I'll add a list later on)

Event Timeline

MoritzMuehlenhoff raised the priority of this task from to Needs Triage.
MoritzMuehlenhoff updated the task description. (Show Details)
MoritzMuehlenhoff subscribed.

In practice, getting this to the to-be-ipsec nodes will take quite some time for cache reboots once it's in the repo and package updated on the hosts...

(I mention the above mainly as a side note about having ipsec rollout date depend on the fix or not)

MoritzMuehlenhoff renamed this task from Update 3.19 kernel to 3.19.4 to Update 3.19 kernel to 3.19.3.Apr 17 2015, 4:46 PM

3.19.3 was already built in Debian experimental and included the IPSEC patch. Since the 3.19.4 update doesn't fix any further security issues and most of the changes are not relevant for us (e.g. asoc, wireless, arm,powerpc) I added that build the jessie-wikimedia suite on apt.wikimedia.org instead.

This fixes CVE-2015-2150 and CVE-2015-2830.

Berkelium and Curium are now upgraded to Debian's 3.19.3 kernels containing the IPsec patch. Next, I will test the aes256gcm and ESN behavior.