[SOLVED] Kernel upgrade for Slackware 14.2 (security and bug fixes)
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Kernel upgrade for Slackware 14.2 (security and bug fixes)
Code:
Thu Nov 7 21:35:45 UTC 2019
patches/packages/linux-4.4.199/*: Upgraded.
These updates fix various bugs and security issues.
Be sure to upgrade your initrd after upgrading the kernel packages.
If you use lilo to boot your machine, be sure lilo.conf points to the correct
kernel and initrd and run lilo as root to update the bootloader.
If you use elilo to boot your machine, you should run eliloconfig to copy the
kernel and initrd to the EFI System Partition.
For more information, see:
Fixed in 4.4.191:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3900
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15118
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10906
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10905
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10638
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15117
Fixed in 4.4.193:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14835
Fixed in 4.4.194:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14816
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14814
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15505
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14821
Fixed in 4.4.195:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17053
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17052
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17056
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17055
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17054
Fixed in 4.4.196:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2215
Fixed in 4.4.197:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16746
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20976
Fixed in 4.4.198:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17075
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17133
Fixed in 4.4.199:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15098
(* Security fix *)
With these kernel 4.4.199 updates to slackware64-14.2, the kernel-firmware patch seems to be missing. When using slackpkg, this causes my system to prompt to revert back to kernel-firmware from 2016 in the original release.
edit: solved. packages are there now, thanks.
Last edited by twy; 11-09-2019 at 04:06 AM.
Reason: solved
With these kernel 4.4.199 updates to slackware64-14.2, the kernel-firmware patch seems to be missing. When using slackpkg, this causes my system to prompt to revert back to kernel-firmware from 2016 in the original release.
The kernel-firmware package is not upgraded at the same pace at the other kernel packages, as it is not linked to a specific kernel version.
I had noticed when I upgraded that my kernel-firmware package had reverted from a 2019 to 2016 version (fixed now with the new firmware package that was pushed). But what exactly is the difference between:
Code:
upgradepkg kernel-*.txz
(as per the instructions in that link), and:
Code:
slackpkg upgrade-all
(which is how I usually do it).
Aren't they more or less equivalent in the case where only kernel packages updates are available? Why would `upgradepkg kernel-*.txz` not pick up kernel-firmware*.txz also? Isn't the reason for the downgrade that the patch disappeared, rather than not upgrading via `upgradepkg kernel-*.txz`?
Why would `upgradepkg kernel-*.txz` not pick up kernel-firmware*.txz also?
Because it wasn't there in THAT directory (linux-4.4.199) yet (they were only added a day later), so slackpkg picked up the one for the original distribution instead (from the configured slackware mirror).
upgradepkg will never go to the internet, so will only upgrade the kernel packages you just downloaded.
I noticed when downloading the new kernel packages too that this upgrade didn't include the firmware, so I kept the ones from 4.4.190 (just moved them to another directory).
But why would the older 2019 firmware disappear before the new one goes up (causing slackpkg to revert to an older firmware)? Just a glitch?
The older firmware was in a different directory (linux-4.4.190).
That whole directory got replaced BY the linux-4.4.199 one.
It probably would have been more consistent to put the firmware package into the /patches/packages directory instead of this versioned subdirectory.
But anyway, slackpkg is the wrong tool to update kernel packages, because normal you would want to "install" some of the packages (like the running kernel) and "upgrade" others (like the kernel source).
And you normally would have to install only one of the newer kernels, either the "huge" one or the "generic" one (and for the latter you would need to install the corresponding -modules one too).
I always download all of the new packages (into my private mirror) and then use either installpg or upgradepkg on the ones I need on my system.
The older firmware was in a different directory (linux-4.4.190).
That whole directory got replaced BY the linux-4.4.199 one.
Note: with the Slackware 14.2 update to a 4.4.201 kernel the -firmware package has disappeared again!
So do NOT use slackpkg for kernel update packages or your firmware will be downgraded again.
Note: with the Slackware 14.2 update to a 4.4.201 kernel the -firmware package has disappeared again!
So do NOT use slackpkg for kernel update packages or your firmware will be downgraded again.
kernel-firmware-20191108_f1100dd-noarch-1.txz is in /patches now though, so slackpkg is not offering a downgrade for me with `slackpkg upgrade-all`.
(note the directory linux-4.4.199 in there, which has now disappeared) so the problem has been solved.
patches/packages is a better directory for it anyway, as it is not kernel version related - as mentioned before: kernel-firmware has its own release schedule.
Sat Nov 16 20:35:54 UTC 2019
patches/packages/linux-4.4.202/*: Upgraded.
CRYPTO_CRC32C_INTEL m -> y
+X86_INTEL_TSX_MODE_AUTO n
+X86_INTEL_TSX_MODE_OFF y
+X86_INTEL_TSX_MODE_ON n
These updates fix various bugs and security issues, including mitigation for
the TSX Asynchronous Abort condition on some CPUs.
Be sure to upgrade your initrd after upgrading the kernel packages.
If you use lilo to boot your machine, be sure lilo.conf points to the correct
kernel and initrd and run lilo as root to update the bootloader.
If you use elilo to boot your machine, you should run eliloconfig to copy the
kernel and initrd to the EFI System Partition.
For more information, see:
Fixed in 4.4.201:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0155
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0154
Fixed in 4.4.202:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135
(* Security fix *)
# /home/magic/Downloads/spectre-meltdown-checker.sh --batch
CVE-2017-5753: OK (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
CVE-2017-5715: OK (Full retpoline + IBPB are mitigating the vulnerability)
CVE-2017-5754: OK (Mitigation: PTI)
CVE-2018-3640: OK (your CPU microcode mitigates the vulnerability)
CVE-2018-3639: OK (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
CVE-2018-3615: OK (your CPU vendor reported your CPU model as not vulnerable)
CVE-2018-3620: OK (Mitigation: PTE Inversion)
CVE-2018-3646: OK (this system is not running a hypervisor)
CVE-2018-12126: OK (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
CVE-2018-12130: OK (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
CVE-2018-12127: OK (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
CVE-2019-11091: OK (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
CVE-2019-11135: OK (your CPU vendor reported your CPU model as not vulnerable)
root@igloo: Sat Nov 16 19:09:11 : ~
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.