Ran arch-audit, many vulnerabilities in linux kernel

pebcak · December 10, 2020, 6:17am

I ran arch-audit and here is the output:

Package curl is affected by CVE-2020-8286, CVE-2020-8285, CVE-2020-8284. Medium risk!
Package glibc is affected by CVE-2020-29562. Medium risk!
Package inetutils is affected by CVE-2019-0053. High risk!
Package jasper is affected by CVE-2020-27828. Medium risk!
Package linux is affected by CVE-2020-16119, CVE-2020-29661, CVE-2020-29660, CVE-2020-27830, CVE-2020-27815. High risk!
Package linux-zen is affected by CVE-2020-16119. High risk!
Package openssl is affected by CVE-2020-1971. High risk!
Package openssl-1.0 is affected by CVE-2020-1971, CVE-2020-1968. High risk!
Package packagekit is affected by CVE-2020-16121. Low risk!
Package unzip is affected by CVE-2018-1000035. Low risk!

linux kernel seems to be hit by many High Risk vulnerabilities. Linux-zen only by one.
I am running linux at the moment should I be using zen for the time being? Or install hardened? The latter doesn’t seem to be suffering by any vulnerabilities, at least looking at:
https://security.archlinux.org/

How about those other packages? Are there reasons to worry?

wordler · December 10, 2020, 6:54am

Being alive is a risk, you could drop dead at any moment, step outside and get hit by a bus. Sit back, take a deep breath and chill out

flyingcakes · December 10, 2020, 6:55am

~~Make sure to sit away from the walls. Those picture frames hanging there can fall on the head any moment.~~

~~Edit: Did I mention that the roof can fall too?~~

Apologies for straying away from the topic.

wordler · December 10, 2020, 6:58am

There’s always Spontaneous Human Combustion. Deep fry yourself!

pebcak · December 10, 2020, 6:59am

@wordler and @flyingcakes

Thanks for sharing deep philosophical insights!

If you don’t have any technical ones to share, please keep your trolling away from this thread!

mbod · December 10, 2020, 6:59am

You should check https://security.archlinux.org/ for all these CVE’s and see what the mitigation of the problem could be.

For some of the CVE you can mitigate the risk by yourself.

E.g CVE-2020-16119

Mitigation is to blacklist the dccp module. If there is no mitigation you could do on your own you just have to wait for the developer to fix it.

E.g. openssl CVE-2020-1971
The fix is currently in Arch testing.

pebcak · December 10, 2020, 7:04am

Thanks @mbod,

I’ll be looking into your suggestions!

wordler · December 10, 2020, 7:05am

I think “vulnerabilities” is an overstatement. These kind of things tend to get fixed quickly upstream. Unless you are running enterprise stuff I don’t see an issue. Anyway we always backup don’t we?

btw I hope the reference to Trolls was a joke, I may be ugly but I ain’t no troll

pebcak · December 10, 2020, 7:16am

Not at all. Posting off-topic, irrelevant posts is part of the definition of trolling. Look it up for yourself!

If you want to share a good joke, there is always:

wordler · December 10, 2020, 7:18am

OK sorry, no offence meant

pebcak · December 10, 2020, 7:22am

Thanks! I’ll keep it in mind for the next time I run into such issues.

flyingcakes · December 10, 2020, 7:22am

My apologies too @pebcak
I’m usually hanging around the Lounge section. Carried over that habit here.

anon31687413 · December 10, 2020, 1:49pm

Not a security expert, so don’t take the following for granted, I just did a quick search:

Will be fixed in 5.9.14. TTY issues.

Only matters when you’re using DCCP.

Only matters when you’re using SpeakUp (accessibility)
Queued for 5.9.14.

JFS filesystem issue (fix available).

Most of these are very recent CVEs, so it’s understandable that not all of them are fixed yet.

pebcak · December 10, 2020, 1:56pm

Thanks a lot @anon31687413 for taking your time and looking into this.
I should have done my homework better

For the future reference, apart from

https://security.archlinux.org/

are there any particular sites to consult for these types of vulnerabilities?

anon31687413 · December 10, 2020, 1:59pm

Just enter the CVE string in your favourite search engine
I wouldn’t worry too much about the kernel vulnerabilities as they are fixed rather quickly, but it’s always a good idea to check from time to time.

pebcak · December 10, 2020, 2:02pm

Alright.

I’ll take this as a new step in my learning Linux journey.

Thanks again!

ricklinux · December 10, 2020, 3:53pm

How do you run the arch-audit?

anon3337769 · December 10, 2020, 4:03pm

Install the arch-audit package, then type arch-audit into a terminal.

ricklinux · December 10, 2020, 4:38pm

Hmm maybe i’m going to switch to zen or hardened?

MrToddarama · December 10, 2020, 4:44pm

Is that really worth it? The one high risk remote vulnerability is shared by all current linux kernels:
[CVE-2020-16119](https://security.archlinux.org/CVE-2020-16119

I might just live dangerously, but I am far less concerned about the Medium and Low risk vulnerabilities that aren’t remotely executed. As others have said, these will probably be patched pretty quickly.

… honestly, maybe I am just too lazy?