Wow, CVE much? Can someone say "ran the kernel through some kind of analyzer"? I know how to check each CVE to see if any are other-than-nothingburger, but how to check 30-50 at once to see if any are other-than-nothingburger?
I haven't seen a sheet like this for the kernel in a long time!
Might be one of the rare cases where it's just easier to update & reboot... sigh
Begin forwarded message:
Date: Fri, 3 May 2024 01:38:45 +0000 (UTC) From: updates@fedoraproject.org To: package-announce@lists.fedoraproject.org Subject: [SECURITY] Fedora 38 Update: kernel-6.8.8-100.fc38
-------------------------------------------------------------------------------- References:
[ 1 ] Bug #2276666 - CVE-2024-26922 kernel: drm/amdgpu: validate the parameters of bo mapping operations more clearly [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2276666 [ 2 ] Bug #2277155 - Fedora 39 - Device Driver for ISM not configured in kernel https://bugzilla.redhat.com/show_bug.cgi?id=2277155 [ 3 ] Bug #2277170 - CVE-2024-26924 kernel: netfilter: nft_set_pipapo: do not free live element [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2277170 [ 4 ] Bug #2278253 - CVE-2024-27022 kernel: fork: defer linking file vma until vma is fully initialized [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278253 [ 5 ] Bug #2278255 - CVE-2024-27021 kernel: r8169: fix LED-related deadlock on module removal [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278255 [ 6 ] Bug #2278257 - CVE-2024-27020 kernel: netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278257 [ 7 ] Bug #2278259 - CVE-2024-27019 kernel: netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278259 [ 8 ] Bug #2278261 - CVE-2024-27018 kernel: netfilter: br_netfilter: skip conntrack input hook for promisc packets [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278261 [ 9 ] Bug #2278263 - CVE-2024-27017 kernel: netfilter: nft_set_pipapo: walk over current view on netlink dump [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278263 [ 10 ] Bug #2278265 - CVE-2024-27016 kernel: netfilter: flowtable: validate pppoe header [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278265 [ 11 ] Bug #2278267 - CVE-2024-27015 kernel: netfilter: flowtable: incorrect pppoe tuple [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278267 [ 12 ] Bug #2278269 - CVE-2024-27014 kernel: net/mlx5e: Prevent deadlock while disabling aRFS [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278269 [ 13 ] Bug #2278271 - CVE-2024-27013 kernel: tun: limit printing rate when illegal packet received by tun dev [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278271 [ 14 ] Bug #2278276 - CVE-2024-27012 kernel: netfilter: nf_tables: restore set elements when delete set fails [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278276 [ 15 ] Bug #2278278 - CVE-2024-27011 kernel: netfilter: nf_tables: fix memleak in map from abort path [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278278 [ 16 ] Bug #2278280 - CVE-2024-27010 kernel: net/sched: Fix mirred deadlock on device recursion [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278280 [ 17 ] Bug #2278282 - CVE-2024-27009 kernel: s390/cio: fix race condition during online processing [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278282 [ 18 ] Bug #2278284 - CVE-2024-27008 kernel: drm: nv04: Fix out of bounds access [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278284 [ 19 ] Bug #2278286 - CVE-2024-27007 kernel: userfaultfd: change src_folio after ensuring it's unpinned in UFFDIO_MOVE [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278286 [ 20 ] Bug #2278288 - CVE-2024-27006 kernel: thermal/debugfs: Add missing count increment to thermal_debug_tz_trip_up() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278288 [ 21 ] Bug #2278290 - CVE-2024-27005 kernel: interconnect: Don't access req_list while it's being manipulated [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278290 [ 22 ] Bug #2278292 - CVE-2024-27004 kernel: clk: Get runtime PM before walking tree during disable_unused [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278292 [ 23 ] Bug #2278294 - CVE-2024-27003 kernel: clk: Get runtime PM before walking tree for clk_summary [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278294 [ 24 ] Bug #2278296 - CVE-2024-27002 kernel: clk: mediatek: Do a runtime PM get on controllers during probe [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278296 [ 25 ] Bug #2278298 - CVE-2024-27001 kernel: comedi: vmk80xx: fix incomplete endpoint checking [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278298 [ 26 ] Bug #2278300 - CVE-2024-27000 kernel: serial: mxs-auart: add spinlock around changing cts state [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278300 [ 27 ] Bug #2278302 - CVE-2024-26999 kernel: serial/pmac_zilog: Remove flawed mitigation for rx irq flood [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278302 [ 28 ] Bug #2278304 - CVE-2024-26998 kernel: serial: core: Clearing the circular buffer before NULLifying it [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278304 [ 29 ] Bug #2278309 - CVE-2024-26996 kernel: usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278309 [ 30 ] Bug #2278311 - CVE-2024-26995 kernel: usb: typec: tcpm: Correct the PDO counting in pd_set [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278311 [ 31 ] Bug #2278313 - CVE-2024-26994 kernel: speakup: Avoid crash on very long word [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278313 [ 32 ] Bug #2278315 - CVE-2024-26993 kernel: fs: sysfs: Fix reference leak in sysfs_break_active_protection() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278315 [ 33 ] Bug #2278317 - CVE-2024-26992 kernel: KVM: x86/pmu: Disable support for adaptive PEBS [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278317 [ 34 ] Bug #2278319 - CVE-2024-26991 kernel: KVM: x86/mmu: x86: Don't overflow lpage_info when checking attributes [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278319 [ 35 ] Bug #2278321 - CVE-2024-26990 kernel: KVM: x86/mmu: Write-protect L2 SPTEs in TDP MMU when clearing dirty status [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278321 [ 36 ] Bug #2278323 - CVE-2024-26989 kernel: arm64: hibernate: Fix level3 translation fault in swsusp_save() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278323 [ 37 ] Bug #2278325 - CVE-2024-26988 kernel: init/main.c: Fix potential static_command_line memory overflow [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278325 [ 38 ] Bug #2278328 - CVE-2024-26987 kernel: mm/memory-failure: fix deadlock when hugetlb_optimize_vmemmap is enabled [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278328 [ 39 ] Bug #2278330 - CVE-2024-26986 kernel: drm/amdkfd: Fix memory leak in create_process failure [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278330 [ 40 ] Bug #2278332 - CVE-2024-26985 kernel: drm/xe: Fix bo leak in intel_fb_bo_framebuffer_init [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278332 [ 41 ] Bug #2278334 - CVE-2024-26984 kernel: nouveau: fix instmem race condition around ptr stores [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278334 [ 42 ] Bug #2278336 - CVE-2024-26983 kernel: bootconfig: use memblock_free_late to free xbc memory to buddy [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278336 [ 43 ] Bug #2278338 - CVE-2024-26982 kernel: Squashfs: check the inode number is not the invalid value of zero [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278338 [ 44 ] Bug #2278340 - CVE-2024-26981 kernel: nilfs2: fix OOB in nilfs_set_de_type [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278340 [ 45 ] Bug #2278342 - CVE-2024-26980 kernel: ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2278342 --------------------------------------------------------------------------------
Joy of joys...
=== Error: Transaction test error: installing package kernel-core-6.8.8-100.fc38.x86_64 needs 13MB more space on the /boot filesystem installing package grub2-efi-x64-1:2.06-118.fc38.x86_64 needs 20MB more space on the /boot filesystem ===
Today Fedora decided that 400MB of /boot space wasn't enough to hold 3 kernel versions, a rescue, and grub. And that's not the easiest fix in the world...
My longest-continuously-upgraded systems were expanded a decade+ ago from whatever (100? 200? MB) to 400MB, which Fedora recommended at the time. Luckily some later ones I set to 500MB which should be ok for a few more years. The new Fedora standard seems to be 1GB.
Easiest fix for now is to edit dnf.conf to change installonly_limit to 2 rather than 3. However, that isn't ideal as there have been times I had to go back to that 3rd-oldest kernel. I guess another option is to disable the rescue kernel, which is always so old I don't even know if it will even work. In fact, I just talked myself into the latter option until the next disk upgrade when I can do some gparted partying.
Then the question will be: how long will 1GB be enough space?
Then the question will be: how long will 1GB be enough space?
Don't be so stingy! :) Hard disk space still expensive?
Take a lesson from Windows (and me). When a recent Win 10 update couldn't be applied because the standard 500 MB WinRE (Recovery Environment) was too small, and the forum talk was "Is 1 GB enough?", I went straight for adding 4 GB, totalling 4.5 GB.
Hartmut
On Thu 02 May 2024 at 23:56:13 -05:00, Trevor Cordes trevor@tecnopolis.ca wrote:
Joy of joys...
=== Error: Transaction test error: installing package kernel-core-6.8.8-100.fc38.x86_64 needs 13MB more space on the /boot filesystem installing package grub2-efi-x64-1:2.06-118.fc38.x86_64 needs 20MB more space on the /boot filesystem ===
Today Fedora decided that 400MB of /boot space wasn't enough to hold 3 kernel versions, a rescue, and grub. And that's not the easiest fix in the world...
My longest-continuously-upgraded systems were expanded a decade+ ago from whatever (100? 200? MB) to 400MB, which Fedora recommended at the time. Luckily some later ones I set to 500MB which should be ok for a few more years. The new Fedora standard seems to be 1GB.
Easiest fix for now is to edit dnf.conf to change installonly_limit to 2 rather than 3. However, that isn't ideal as there have been times I had to go back to that 3rd-oldest kernel. I guess another option is to disable the rescue kernel, which is always so old I don't even know if it will even work. In fact, I just talked myself into the latter option until the next disk upgrade when I can do some gparted partying.
Then the question will be: how long will 1GB be enough space? _______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable