Ran arch-audit, many vulnerabilities in linux kernel

I ran arch-audit and here is the output:

Package curl is affected by CVE-2020-8286, CVE-2020-8285, CVE-2020-8284. Medium risk!
Package glibc is affected by CVE-2020-29562. Medium risk!
Package inetutils is affected by CVE-2019-0053. High risk!
Package jasper is affected by CVE-2020-27828. Medium risk!
Package linux is affected by CVE-2020-16119, CVE-2020-29661, CVE-2020-29660, CVE-2020-27830, CVE-2020-27815. High risk!
Package linux-zen is affected by CVE-2020-16119. High risk!
Package openssl is affected by CVE-2020-1971. High risk!
Package openssl-1.0 is affected by CVE-2020-1971, CVE-2020-1968. High risk!
Package packagekit is affected by CVE-2020-16121. Low risk!
Package unzip is affected by CVE-2018-1000035. Low risk!

linux kernel seems to be hit by many High Risk vulnerabilities. Linux-zen only by one.
I am running linux at the moment should I be using zen for the time being? Or install hardened? The latter doesn’t seem to be suffering by any vulnerabilities, at least looking at:

How about those other packages? Are there reasons to worry?

Being alive is a risk, you could drop dead at any moment, step outside and get hit by a bus. Sit back, take a deep breath and chill out :wink:

3 Likes
Make sure to sit away from the walls. Those picture frames hanging there can fall on the head any moment.

Edit: Did I mention that the roof can fall too?



Apologies for straying away from the topic.
1 Like

There’s always Spontaneous Human Combustion. Deep fry yourself!

2 Likes

@wordler and @flyingcakes

Thanks for sharing deep philosophical insights!

If you don’t have any technical ones to share, please keep your trolling away from this thread!

3 Likes

You should check https://security.archlinux.org/ for all these CVE’s and see what the mitigation of the problem could be.

For some of the CVE you can mitigate the risk by yourself.

E.g CVE-2020-16119

Mitigation is to blacklist the dccp module. If there is no mitigation you could do on your own you just have to wait for the developer to fix it.

E.g. openssl CVE-2020-1971
The fix is currently in Arch testing.

6 Likes

Thanks @mbod,

I’ll be looking into your suggestions!

I think “vulnerabilities” is an overstatement. These kind of things tend to get fixed quickly upstream. Unless you are running enterprise stuff I don’t see an issue. Anyway we always backup don’t we?

btw I hope the reference to Trolls was a joke, I may be ugly but I ain’t no troll :grin:

1 Like

Not at all. Posting off-topic, irrelevant posts is part of the definition of trolling. Look it up for yourself!

If you want to share a good joke, there is always:

2 Likes

OK sorry, no offence meant :smile:

2 Likes

Thanks! I’ll keep it in mind for the next time I run into such issues.

My apologies too @pebcak
I’m usually hanging around the Lounge section. Carried over that habit here.

2 Likes

Not a security expert, so don’t take the following for granted, I just did a quick search:

Will be fixed in 5.9.14. TTY issues.

Only matters when you’re using DCCP.

Only matters when you’re using SpeakUp (accessibility)
Queued for 5.9.14.

JFS filesystem issue (fix available).

Most of these are very recent CVEs, so it’s understandable that not all of them are fixed yet.

4 Likes

Thanks a lot @anon31687413 for taking your time and looking into this.
I should have done my homework better :blush:

For the future reference, apart from

https://security.archlinux.org/

are there any particular sites to consult for these types of vulnerabilities?

Just enter the CVE string in your favourite search engine :slight_smile:
I wouldn’t worry too much about the kernel vulnerabilities as they are fixed rather quickly, but it’s always a good idea to check from time to time.

2 Likes

Alright.

I’ll take this as a new step in my learning Linux journey.

Thanks again!

1 Like

How do you run the arch-audit?

Install the arch-audit package, then type arch-audit into a terminal.

2 Likes

Hmm maybe i’m going to switch to zen or hardened?

Is that really worth it? The one high risk remote vulnerability is shared by all current linux kernels:
[CVE-2020-16119](https://security.archlinux.org/CVE-2020-16119

I might just live dangerously, but I am far less concerned about the Medium and Low risk vulnerabilities that aren’t remotely executed. As others have said, these will probably be patched pretty quickly.

… honestly, maybe I am just too lazy? :wink: