On Thu, 2016-12-08 at 15:54 +1300, Richard Hector wrote: > Hi all - not sure if this is the best list for this question, sorry. > > I'm currently running backport kernels on several jessie machines, some > because of hardware requirements (recent intel graphics) and some to get > recent lxc packages, which I understand are much better than the stock > jessie ones. > > I recently learned on debian-user that the 4.7 backport kernels have > problems and shouldn't be used, and that I should stick with 4.6 instead > (despite that no longer being available in the archive). You should upgrade unless you know the new version won't work for you. > But then I > thought to check on the August TCP bug, CVE-2016-5696 - and the 4.6 > backport kernel appears to be still affected. > > Am I left with my only option being to build my own? > > Do backport kernels ever get security patches, or 3rd-level point > release updates? They do... slowly. > Obviously I realise that I pay nothing and can demand nothing, but I'm > curious - presumably people build these packages because they need them; > do they then choose another way forward if things go wrong, and abandon > the backport? No, the backports are supposed to be kept up-to-date with testing. > Also, as an aside, I tried to download the matching source for the > kernel I'm running (before realising the CVE would be mentioned in the > changelog in the binary package), and failed - the source tree is newer, > and not a git repo so I can't go back, and cloning the git tree from > https://anonscm.debian.org/git/kernel/linux.git only gives me the debian > directory - where do I get the source for my running kernel? The debian/bin/genorig.py will generate it from the upstream linux git repository. Alternately <http://snapshot.debian.org> has all the old uploaded versions. Ben. -- Ben Hutchings When in doubt, use brute force. - Ken Thompson
Attachment:
signature.asc
Description: This is a digitally signed message part