Linux 7.0.9 (and others)

Posted by ilep@reddit | linux | View on Reddit | 21 comments

The usual kernel -stable updates with multitude of patches. Releases 7.0.9, 6.18.32, 6.12.90 and 6.6.140, relevant places and mirrors might take a bit to catch up. Again, everyone should upgrade as there are important fixes all around.

[-]

QuickYogurt2037@reddit

Next batch of AI-assisted vulnerabilities with the help of Claude Mythos?

[-]

ilep@reddit (OP)

Linus commented on -rc4 that AI tools have caused problems:

continued flood of AI reports has basically made the security list
almost entirely unmanageable, with enormous duplication due to
different people finding the same things with the same tools

https://lwn.net/Articles/1073192/

[-]

qwertydiy@reddit

Hopefully not, but most likely no. Most of those have been in for ages.

[-]

TheBendit@reddit

The opposite: they were not put in by Mythos (or its competitors), they were found by them.

Finding vulnerabilities in the Linux kernel is always a big deal, both because it is a high profile project and because the code quality is generally high. It has already been through tons of automated testing and fuzzing, and numerous code-checkers went through it even before AI. The researchers get a lot of publicity from Linux kernel vulnerabilities that other projects struggle to match.

The upside is that the kernel code gets even better now. The downside is surviving the next month or two. Hopefully no one has old out-of-support installations sitting around...

[-]

QuickYogurt2037@reddit

security engineers already: i'm tired boss

[-]

qwertydiy@reddit

To be fair that is exactly what I was trying to say. As more of these niche ones are found the system improves and there aren't that many to find (as long as you are updating, which many people aren't)

[-]

QuickYogurt2037@reddit

Yes but they are just getting discovered now, one by one

[-]

qwertydiy@reddit

I am saying though that the chances of adding a new vuln overnight from a FRESH patch are low. AI is nowhere near that good yet.

[-]

w2qw@reddit

Is just me or is that a huge amount of changes for a patch release?

[-]

ilep@reddit (OP)

Not really, it is the usual. Releases with only a few patches are abnormal and usually urgent for some issue. Releases tend to collect more patches so that there isn't need to update quite so often.

[-]

QuickYogurt2037@reddit

its actually below average, usually it's ~300 commits for a patch release. This one has 198 commits.

[-]

qwertydiy@reddit

Thank goodness the infamous Dirty Frag is defeated (if you actually bother to update the kernel that is, which a worrying amount of companies do not).

[-]

screaming-Snake-Case@reddit

DirtyFrag was patched 1/2 in 7.0.6 and fully in 7.0.7. More importantly, Fragnesia seems to still be unpatched to this date. The patch wasn't listed in any further kernel release, and debian still reports it as unpatched upstream.

[-]

we_are_mammals@reddit

AlmaLinux apparently backported and applied these patches ahead of their upstream (RHEL). Not sure if this is good or bad. But they did it.

[-]

jonspw@reddit

Why would you think it would be reckless?

[-]

we_are_mammals@reddit

Why would you think it would be reckless?

I don't know for sure, but it seems likely that RHEL has a lot more dev muscle behind it than AlmaLinux/RockyLinux, and they chose to move slow on this one. There might be a reason for this, presumably?

[-]

jonspw@reddit

The majority of the time when we release patches early, what Red Hat ultimately releases is virtually identical.

We can't know why they choose to wait or not - we can only do what's in the best interest of our users. That's the value of being more than just a clone, we can serve the needs of our users when they don't necessarily align with Red Hat, so long as it doesn't break compatibility.

[-]

we_are_mammals@reddit

The majority of the time when we release patches early, what Red Hat ultimately releases is virtually identical.

"Those other 49% of cases -- you don't need to worry about them" (Sorry)

On a more serious note, I wonder how much you gain (in time), by not being just a clone -- if you just applied and recompiled Red Hat's patches, the updates would be delayed, but by how much, on average?

BTW, RockyLinux was "just a clone", until recently, right? But they also opened a not-from-upstream channel in light of the recent security avalanche?

[-]

jonspw@reddit

It doesn't really matter if the patches we release are 100% identical to what Red Hat releases in these cases. We rebase to Red Hat once they release their stuff anyway. There's more than one way to backport a fix successfully.

I can't speak for Rocky.

[-]

demonstar55@reddit

Gentoo has a similar patch included in gentoo-kernel and gentoo-sources.

[-]

BashfulMelon@reddit

All users of the 7.0 kernel series must upgrade.

literally just as bad as micro$lop i'm switching to Xenix