Web lists-archives.com

Re: How to safely hold kernel packages ?




On 02/06/2018 09:00 AM, Stéphane Rivière wrote:
Hi all,

I wanted to avoid kernel updates after the Spectre/Meltdown 'bug', also known as KPTI or kaiser CPU flaw. In my specific context, these patches are useless or even harmful.



Before applying an aptitude update/upgrade to all the servers and VMs I'm in charge, I've done a little test on a Debian 9 stable workstation, with the kernel linux-image-4.9.0-4-amd64 release 4.9.51-1

So, after an aptitude search ~i~linux- I hold theses meta-packages :

aptitude hold linux-image-amd64
aptitude hold linux-headers-amd64

Then I check the applied holds :

aptitude search ~ahold

ihA linux-headers-amd64
ih  linux-image-amd64

then... aptitude update/upgrade



After that... I discover a kernel change :

linux-image-4.9.0-4-amd64 release 4.9.65-3 (instead of previously 4.9.51-1)

Reading : http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.9.65-3+deb9u2_changelog

I discovered I've perfectly applied the patch I wished to avoid.

linux (4.9.65-3+deb9u2) stretch-security; urgency=high
.../...
   * [amd64] Implement Kernel Page Table Isolation (KPTI, aka KAISER)
     (CVE-2017-5754)

Hopefully, there is a new "nokaiser" boot option !
(happy end).



So it seems I just learn that 'hold' aptitude command is for packet version (i.e 4.9.0-4), not for package security fixes versions (4.9.65-3)...

But is there a way to really *freeze* a packet (block all updates) ?

Is it the 'keep' aptitude option ? (can't really see the difference with 'hold')

Or may be it's better to apply security patches and use the new "nokaiser" boot option...



Thanks a lot in advance for your advices ;)


All the best from France...

I would use 'apt-mark'.  # apt-mark hold 'package-name'
and # apt-mark unhold 'package-name'

Cheers,
--
Jimmy Johnson

Debian Stretch - KDE Plasma 5.8.6 - AMD A8-7600 - EXT4 at sda6
Registered Linux User #380263