I have a request from my network security colleague to investigate the threat of this CVE for our environment and I'm having a hard time figuring it out. When I look on the CVE tracker for that CVE:
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5696.html
It lists the package versions as well as the release versions. Which confuses me. Like it seems to imply that you can run the Trusty source on the Precise OS?
But that's besides the point. Our environment is predominantly Precise servers with a handful of Trusty servers and I need to know if this vulnerability applies to me. Is there a command I can run to determine if I'm using one of these packages that is listed. The package names actually specified in the tracker like "linux-lts-trusty" are not apt-get packages so "apt-cache show" doesn't help.
Best Answer
First of all, the package that it refers to
linux-lts-trusty
refers to the kernels images. They are named differently in the repositories. If you doapt-cache search linux-.* | grep 'trusty'
you will find packages likelinux-image-virtual-lts-trusty
orlinux-image-virtual-lts-wily
. In addition , if you open the launchpad link, git.kernel.org link and others from the CVE report you have there all point that this is Linux kernel vulnerability.So, for
linux-lts-trusty
, for which Launchpad latest version at the time of me writing this is 3.13.0-93.140-precise1 lists that only for Ubuntu 12.04 fix is needed, for other versions bug DNE(does not exist):For
linux-lts-wily
, which is version 4.2.0-42.49-14.04.1 , only trusty (14.04 ) is at risk.So it really depends on the kernel version you are running. Of course, the best approach would be that your server is upgraded to the latest version, 16.04 LTS , and have newer kernel versions. You didn't provide us with your kernel version so we don't know if you are at risk for this or not.
Technically you can run older kernel on newer OS version and vice versa, so yes, that is correct.
NOTES:
Wily Werewolf (15.10) has already reached End of Life and no longer supported. If you are running this version, I strongly suggest you upgrade.
linux-lts-saucy
kernel version appears that it doesn't have that vulnerability . That's version3.11.0-26.45-precise1
. I would suggest any 3.11.x version, but this is still not ideal ; newer versions are preferable.Tracking
linux
in the tracker for this CVE for a given release will track the base kernel shipped in that release. Trackinglinux-lts-*
in the tracker for this CVE will track an HWE kernel, available only in LTS editions which get HWE updates. Until all of them are "released" or "fixed", for all Source packages and all relevant distributions on the Tracker, you are not going to be able to 'avoid' the CVE.