| Summary: | sys-kernel/tuxonice-sources : Hundreds of vulnerabilities | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Mike Pagano <mpagano> |
| Component: | Current packages | Assignee: | Gentoo Kernel Security <security-kernel> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | arfrever.fta, kernel, maintainer-needed, proxy-maint, qbt937, treecleaner |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | A0 [masked] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Mike Pagano
2017-08-15 11:52:21 UTC
TuxOnIce seems to be still maintained in https://github.com/NigelCunningham/tuxonice-kernel but it seems that easily downloadable patches for specific versions of kernel are no longer provided. I have asked upstream: https://github.com/NigelCunningham/tuxonice-kernel/issues/36 It's been a month. Did you get a response from upstream? We are now on month 16 without any updates and these tuxonice kernels all have known exploits. Seems a disservice to our users to keep these in the repository. I received no response in https://github.com/NigelCunningham/tuxonice-kernel/issues/36. You can mask sys-apps/tuxonice-userui and sys-kernel/tuxonice-sources for deletion. Hey Upstream responded, see: https://github.com/NigelCunningham/tuxonice-kernel/issues/36#issuecomment-331230205 What's the next step now? No one has said they will step up and maintain this. We should at least mask all versions in the tree as everyone contains known exploits. Security Team. Please mask and tree clean sys-kernel/tuxonices. If someone steps up and updates these kernels, all the better, but it's been 18 months and this bug is almost 2 months old. These kernels have not seen an update since May of 2016 and are vulnerable to hundreds of kernel CVEs. In fact, 380 kernel CVEs have been issued in 2017 alone as seen here: http://www.cvedetails.com/vulnerability-list.php?vendor_id=33&product_id=47&version_id=&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=2017&month=0&cweid=0&order=1&trc=380&sha=d80d3346f69d7155f090a2b7862af859427c62ef Here's a list of just a few: CVE-2017-1000380 CVE-2017-1000379 CVE-2017-1000377 CVE-2017-1000371 CVE-2017-1000370 CVE-2017-1000365 CVE-2017-1000364 CVE-2017-1000252 CVE-2017-1000251 CVE-2017-14954 CVE-2017-14497 CVE-2017-14489 CVE-2017-14340 CVE-2017-14156 CVE-2017-14140 CVE-2017-14106 CVE-2017-14051 CVE-2017-13715 CVE-2017-13695 CVE-2017-13694 CVE-2017-13693 CVE-2017-13686 CVE-2017-12762 CVE-2017-12168 CVE-2017-12154 CVE-2017-12153 CVE-2017-12146 CVE-2017-11600 CVE-2017-11473 CVE-2017-11472 CVE-2017-11176 CVE-2017-10911 CVE-2017-10810 CVE-2017-10663 CVE-2017-10662 CVE-2017-10661 CVE-2017-9986 CVE-2017-9985 CVE-2017-9984 CVE-2017-9605 CVE-2017-9242 CVE-2017-9211 CVE-2017-9150 CVE-2017-9077 CVE-2017-9076 CVE-2017-9075 CVE-2017-9074 CVE-2017-9059 CVE-2017-8925 CVE-2017-8924 concur with kernel team. # Aaron Bauman <bman@gentoo.org> (8 October 2017) # severely vulnerable and unmaintained sources. # Masked for removal in 30 days. Bug #627924 sys-kernel/tuxonice-sources https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=64745cf09285597b1c1376d6b011b6a51c429df7 There has been some activity on github by the maintainer again, bringing the code up to all the latest versions of the upstream kernel. Perhaps the treecleaning can be postponed and the ebuild restored to the tree? (In reply to Peter Gantner (a.k.a. nephros) from comment #8) > There has been some activity on github by the maintainer again, bringing the > code up to all the latest versions of the upstream kernel. > > Perhaps the treecleaning can be postponed and the ebuild restored to the > tree? Someone has to step up to do the work... The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a7dde116c5470e51a3125501b1db26010226cd92 commit a7dde116c5470e51a3125501b1db26010226cd92 Author: Mikle Kolyada <zlogene@gentoo.org> AuthorDate: 2018-01-06 12:00:03 +0000 Commit: Mikle Kolyada <zlogene@gentoo.org> CommitDate: 2018-01-06 12:01:57 +0000 sys-kernel/tuxonice-sources: remove last rited package Bug: https://bugs.gentoo.org/627924 sys-kernel/tuxonice-sources/Manifest | 95 ---------------------- sys-kernel/tuxonice-sources/metadata.xml | 23 ------ .../tuxonice-sources-3.10.100.ebuild | 34 -------- .../tuxonice-sources-3.10.101.ebuild | 34 -------- .../tuxonice-sources-3.12.56.ebuild | 34 -------- .../tuxonice-sources-3.12.58.ebuild | 34 -------- .../tuxonice-sources-3.12.60.ebuild | 34 -------- .../tuxonice-sources-3.14.64.ebuild | 34 -------- .../tuxonice-sources-3.14.67.ebuild | 34 -------- .../tuxonice-sources-3.14.70.ebuild | 34 -------- .../tuxonice-sources-3.18.28.ebuild | 34 -------- .../tuxonice-sources-3.18.31.ebuild | 34 -------- .../tuxonice-sources-3.18.34.ebuild | 34 -------- .../tuxonice-sources-3.4.110.ebuild | 33 -------- .../tuxonice-sources-3.4.111.ebuild | 33 -------- .../tuxonice-sources-3.4.112.ebuild | 33 -------- .../tuxonice-sources-4.1.19.ebuild | 34 -------- .../tuxonice-sources-4.1.22.ebuild | 34 -------- .../tuxonice-sources-4.1.24.ebuild | 34 -------- .../tuxonice-sources/tuxonice-sources-4.2.8.ebuild | 34 -------- .../tuxonice-sources/tuxonice-sources-4.3.6.ebuild | 34 -------- .../tuxonice-sources-4.4.11.ebuild | 34 -------- .../tuxonice-sources/tuxonice-sources-4.4.5.ebuild | 34 -------- .../tuxonice-sources/tuxonice-sources-4.4.8.ebuild | 34 -------- .../tuxonice-sources/tuxonice-sources-4.5.2.ebuild | 34 -------- .../tuxonice-sources/tuxonice-sources-4.5.4.ebuild | 34 -------- 26 files changed, 931 deletions(-)} Removed. |
