Originally Posted by angryfirelord
I apologize if this is slightly off topic and/or has been asked before, but is there a risk with running the 3.10.17 kernel when the latest upstream longterm release is 3.10.28? Are most of the fixes simply bug fixes or do the kernel security patches not really affect Slackware?
Long-term support (LTS) kernels, for a period of at least two years, admit patches which address:
- security issues and other bugs
- notable performance or interactivity issues
- new HW IDs and quirks
Many bug-fixes in LTS kernel trees specifically address security issues; Others do not.
To give you a sense of magnitude of risk exposure, I've put together a partial list of vulnerabilities present in kernel 3.10.17:
CVE-2013-2929 CVE-2013-2930 CVE-2013-4270 CVE-2013-4348
CVE-2013-4470 CVE-2013-4511 CVE-2013-4512 CVE-2013-4513
CVE-2013-4514 CVE-2013-4515 CVE-2013-4516 CVE-2013-4563
CVE-2013-4579 CVE-2013-4587 CVE-2013-6367 CVE-2013-6368
CVE-2013-6376 CVE-2013-6378 CVE-2013-6380 CVE-2013-6381
CVE-2013-6382 CVE-2013-6383 CVE-2013-6431 CVE-2013-6432
CVE-2013-6763 CVE-2013-7026 CVE-2013-7027 CVE-2013-7263
CVE-2013-7264 CVE-2013-7265 CVE-2013-7266 CVE-2013-7267
CVE-2013-7268 CVE-2013-7269 CVE-2013-7270 CVE-2013-7271
CVE-2013-7281 CVE-2014-0038 CVE-2014-1438 CVE-2014-1444
The list's size might initially frighten so it's important to point out these issues vary in severity level; differing in access vectors,
ease of exploitation, impact (e.g. DoS, information disclosure, privilege escalation, etc.), among other characteristics. In other
words, some of the above occur only under uncommon configurations/circumstances and/or are of relatively low-impact.
It is also important to be aware not all of the above affect Slackware 14.1/current.
For example, CVE-2013-7271 doesn't because Slackware 14.1/current kernels don't ship with CCITT X.25 packet layer support.
On the other hand, the recent high-profile x32 ABI vulnerability that can be leveraged to gain root privileges (CVE-2014-0038)
does affect Slackware 14.1/current on 64-bit platforms. The severity of that particular vulnerability drove me to author a
counter-measure kernel module which I shared with the entire Linux community the day an exploit was made public (see earlier
posts in this thread for details). [NEWS
: 3.10.29 released 4 hours ago contains a fix]
Judging from the relative infrequency with which Slackware has issued kernel upgrades for stable releases in the recent past
(3 times in the last five years by my count), I conclude kernel vulnerabilities need to be particularly severe to trigger a Slackware
update. On this point, it would be instructive (for me anyways) to hear directly from Pat on how he decides when to push new
I hope this answers your question and is valuable to other members of the Slackware community who might have been wondering