|
|
|
From: Slackware Security Team <security@slackware.com>
To: slackware-security@slackware.com
Subject: [slackware-security] kernel (SSA:2026-128-01)
Date: Fri, 8 May 2026 15:16:52 -0700 (PDT) |
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[slackware-security] kernel (SSA:2026-128-01)
New kernel packages are available for Slackware 15.0 and -current to fix
a security issue.
Here are the details from the Slackware 15.0 ChangeLog:
+--------------------------+
patches/packages/linux-5.15.205/kernel-generic-5.15.205-i586-1.txz: Upgraded.
patches/packages/linux-5.15.205/kernel-generic-smp-5.15.205_smp-i686-1.txz: Upgraded.
patches/packages/linux-5.15.205/kernel-headers-5.15.205_smp-x86-1.txz: Upgraded.
patches/packages/linux-5.15.205/kernel-huge-5.15.205-i586-1.txz: Upgraded.
patches/packages/linux-5.15.205/kernel-huge-smp-5.15.205_smp-i686-1.txz: Upgraded.
patches/packages/linux-5.15.205/kernel-modules-5.15.205-i586-1.txz: Upgraded.
This update fixes a critical security issue:
xfrm: esp: avoid in-place decrypt on shared skb frags.
This update addresses a Linux kernel local privilege escalation attack known
as "Dirty Frag." Please note that there's a second CVE (CVE-2026-43500) that
is not yet patched upstream.
Mitigation: If for some reason it's not possible to upgrade the kernel right
away you may blacklist or remove the kernel modules esp4.ko and esp6.ko
(CVE-2026-43284) and rxrpc.ko (CVE-2026-43500).
Also remove the modules from the kernel if they have been loaded:
rmmod esp4 esp6 rxrpc
And, drop the file caches in case in-memory program copies have already
been compromised. Make sure possibly affected programs do not have any
open sessions first:
sh -c "echo 3 > /proc/sys/vm/drop_caches"
For more information, see:
https://github.com/V4bel/dirtyfrag
https://www.cve.org/CVERecord?id=CVE-2026-43284
(* Security fix *)
patches/packages/linux-5.15.205/kernel-modules-smp-5.15.205_smp-i686-1.txz: Upgraded.
This update fixes a critical security issue:
xfrm: esp: avoid in-place decrypt on shared skb frags.
This update addresses a Linux kernel local privilege escalation attack known
as "Dirty Frag." Please note that there's a second CVE (CVE-2026-43500) that
is not yet patched upstream.
Mitigation: If for some reason it's not possible to upgrade the kernel right
away you may blacklist or remove the kernel modules esp4.ko and esp6.ko
(CVE-2026-43284) and rxrpc.ko (CVE-2026-43500).
Also remove the modules from the kernel if they have been loaded:
rmmod esp4 esp6 rxrpc
And, drop the file caches in case in-memory program copies have already
been compromised. Make sure possibly affected programs do not have any
open sessions first:
sh -c "echo 3 > /proc/sys/vm/drop_caches"
For more information, see:
https://github.com/V4bel/dirtyfrag
https://www.cve.org/CVERecord?id=CVE-2026-43284
(* Security fix *)
patches/packages/linux-5.15.205/kernel-source-5.15.205_smp-noarch-1.txz: Upgraded.
Be sure to upgrade your initrd after upgrading the kernel packages.
If you use lilo to boot your machine, be sure lilo.conf points to the correct
kernel and initrd and run lilo as root to update the bootloader.
If you use elilo to boot your machine, you should run eliloconfig to copy the
kernel and initrd to the EFI System Partition.
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated packages for Slackware 15.0:
ftp://ftp.slackware.com/pub/slackware/slackware-15.0/patches/packages/linux-5.15.205/kernel-generic-5.15.205-i586-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-15.0/patches/packages/linux-5.15.205/kernel-generic-smp-5.15.205_smp-i686-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-15.0/patches/packages/linux-5.15.205/kernel-headers-5.15.205_smp-x86-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-15.0/patches/packages/linux-5.15.205/kernel-huge-5.15.205-i586-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-15.0/patches/packages/linux-5.15.205/kernel-huge-smp-5.15.205_smp-i686-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-15.0/patches/packages/linux-5.15.205/kernel-modules-5.15.205-i586-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-15.0/patches/packages/linux-5.15.205/kernel-modules-smp-5.15.205_smp-i686-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-15.0/patches/packages/linux-5.15.205/kernel-source-5.15.205_smp-noarch-1.txz
Updated packages for Slackware x86_64 15.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-15.0/patches/packages/linux-5.15.205/kernel-generic-5.15.205-x86_64-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-15.0/patches/packages/linux-5.15.205/kernel-headers-5.15.205-x86-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-15.0/patches/packages/linux-5.15.205/kernel-huge-5.15.205-x86_64-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-15.0/patches/packages/linux-5.15.205/kernel-modules-5.15.205-x86_64-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-15.0/patches/packages/linux-5.15.205/kernel-source-5.15.205-noarch-1.txz
Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-generic-6.12.87-i686-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-headers-6.12.87-x86-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-source-6.12.87-noarch-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-current/testing/packages/linux-6.18.x/kernel-generic-6.18.28-i686-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-current/testing/packages/linux-6.18.x/kernel-headers-6.18.28-x86-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-current/testing/packages/linux-6.18.x/kernel-source-6.18.28-noarch-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-current/testing/packages/linux-7.0.x/kernel-generic-7.0.5-i686-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-current/testing/packages/linux-7.0.x/kernel-headers-7.0.5-x86-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-current/testing/packages/linux-7.0.x/kernel-source-7.0.5-noarch-1.txz
Updated packages for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/kernel-generic-6.18.28-x86_64-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/kernel-headers-6.18.28-x86-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/kernel-source-6.18.28-noarch-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-current/testing/packages/linux-7.0.x/kernel-generic-7.0.5-x86_64-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-current/testing/packages/linux-7.0.x/kernel-headers-7.0.5-x86-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-current/testing/packages/linux-7.0.x/kernel-source-7.0.5-noarch-1.txz
MD5 signatures:
+-------------+
Slackware 15.0 packages:
8e8a2207665a003123da709c9dd3c51e kernel-generic-5.15.205-i586-1.txz
397e043c4a032e47a07c23039cc7bd74 kernel-generic-smp-5.15.205_smp-i686-1.txz
c6f5abfc1621a79f283f1fac3a38ebd9 kernel-headers-5.15.205_smp-x86-1.txz
ba240f46ba54bc437c7647f914da6097 kernel-huge-5.15.205-i586-1.txz
9ac88625d533acc2af59e05389b2e753 kernel-huge-smp-5.15.205_smp-i686-1.txz
952bc4ba662cda29b9928f4434fca3fb kernel-modules-5.15.205-i586-1.txz
341b0aaeec3032325de7ddf8bbe666fc kernel-modules-smp-5.15.205_smp-i686-1.txz
e40749c23b754933c09aff9d776e9481 kernel-source-5.15.205_smp-noarch-1.txz
Slackware x86_64 15.0 packages:
d4f8481fa0f8e515b41bcfe153fdd8c2 kernel-generic-5.15.205-x86_64-1.txz
fd0d107b8941e0d166acb5452b3fa507 kernel-headers-5.15.205-x86-1.txz
f25eb9b3d1aec403bb7aa7301825ccf3 kernel-huge-5.15.205-x86_64-1.txz
093905e9c86ae21022119e0cb4b09ac4 kernel-modules-5.15.205-x86_64-1.txz
e347dba916e24b96f76d036f7673669c kernel-source-5.15.205-noarch-1.txz
Slackware -current packages:
38d4ffff2e38b12c7e66d4d7ac6f2b0c kernel-firmware-20260507_b3d71e9-noarch-1.txz
9b03fc01356a7c729433acfb9d6c245e kernel-generic-6.12.87-i686-1.txz
2205f8650e5664013f0e1e710bc3f9d0 kernel-headers-6.12.87-x86-1.txz
820496e2fd49ac74607a9b7812969b22 kernel-source-6.12.87-noarch-1.txz
17f34441c213f03eae924fa4595df0d5 kernel-generic-6.18.28-i686-1.txz
dae6c83833780f7e2fc47ee0854a609f kernel-headers-6.18.28-x86-1.txz
35e103920a30209386d7124f1c7ebc08 kernel-source-6.18.28-noarch-1.txz
6ad79b6f0201278b4c2c1b0d07f69601 kernel-generic-7.0.5-i686-1.txz
c839198802090f96f19995b9e6eb34ae kernel-headers-7.0.5-x86-1.txz
56fd489d90f31ab058c7e0af7545d682 kernel-source-7.0.5-noarch-1.txz
Slackware x86_64 -current packages:
38d4ffff2e38b12c7e66d4d7ac6f2b0c kernel-firmware-20260507_b3d71e9-noarch-1.txz
2d5e29d74adab0b158672205f85f2514 kernel-generic-6.18.28-x86_64-1.txz
701b7af7fa77856c54d9f23064c9c096 kernel-headers-6.18.28-x86-1.txz
1d894820c6f469a8397687b1b3e15ddf kernel-source-6.18.28-noarch-1.txz
82469a9fb0f533c19513bde5b159f514 kernel-generic-7.0.5-x86_64-1.txz
156155e8cab7b9941f1e58e2474235a5 kernel-headers-7.0.5-x86-1.txz
657b47221628f7fbe4c18b05a539c383 kernel-source-7.0.5-noarch-1.txz
Installation instructions:
+------------------------+
Upgrade the packages as root:
# upgradepkg kernel-*.txz
If you are using an initrd, you'll need to rebuild it.
For a 32-bit SMP machine, use this command (substitute the appropriate
kernel version if you are not running Slackware 15.0):
# /usr/share/mkinitrd/mkinitrd_command_generator.sh -k 5.15.205-smp | bash
For a 64-bit machine, or a 32-bit uniprocessor machine, use this command
(substitute the appropriate kernel version if you are not running
Slackware 15.0):
# /usr/share/mkinitrd/mkinitrd_command_generator.sh -k 5.15.205 | bash
Please note that "uniprocessor" has to do with the kernel you are running,
not with the CPU. Most systems should run the SMP kernel (if they can)
regardless of the number of cores the CPU has. If you aren't sure which
kernel you are running, run "uname -a". If you see SMP there, you are
running the SMP kernel and should use the 5.15.205-smp version when running
mkinitrd_command_generator. Note that this is only for 32-bit -- 64-bit
systems should always use 5.15.205 as the version.
If you are using lilo or elilo to boot the machine, you'll need to ensure
that the machine is properly prepared before rebooting.
If using LILO:
By default, lilo.conf contains an image= line that references a symlink
that always points to the correct kernel. No editing should be required
unless your machine uses a custom lilo.conf. If that is the case, be sure
that the image= line references the correct kernel file. Either way,
you'll need to run "lilo" as root to reinstall the boot loader.
If using elilo:
Ensure that the /boot/vmlinuz symlink is pointing to the kernel you wish
to use, and then run eliloconfig to update the EFI System Partition.
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
iHkEARECADkWIQTsVknaQB4iq/pnNu9qRGPAQBAiMwUCaf5cGhsUgAAAAAAEAA5t
YW51MiwyLjUrMS4xMiwyLDIACgkQakRjwEAQIjNqmwCfU6z6GaSQnhxIRvuy6ifw
lGOIUA4An3mJRvr4KaLXP5uTXNPrghC2HFWV
=m7r+
-----END PGP SIGNATURE-----
|
|
|
