Livepatch
2314
Comment:
|
2001
switch to a table format and other wiki formatting
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
= IN PROGRESS = = Overview = The Canonical Livepatch Service is Available to all Ubuntu Advantage customers, and also for personal use for free up to a maximum of three Ubuntu 16.04 LTS and 14.04 LTS systems. It updates your Ubuntu your systems with the highest and most critical security vulnerabilities, without requiring a reboot in order to take effect. |
= Kernel Livepatch = This is a collection of notes and FAQs for the [[https://www.ubuntu.com/server/livepatch | Canonical Livepatch Service]]. That page has a general introduction, data sheet and the ability to sign up for the service. |
Line 9: | Line 6: |
The Livepatch service is available for the generic flavour of the 64-bit Intel/AMD (aka, x86_64, amd64) builds of the Ubuntu 16.04 LTS (Xenial) kernel, which is a Linux 4.4 kernel, as well as Ubuntu 14.04 LTS running the Linux 4.4 [[https://wiki.ubuntu.com/Kernel/LTSEnablementStack|Hardware Enablement kernel]]. It works with unmodified Ubuntu kernels on Ubuntu 16.04 LTS and 14.04 LTS Servers and Desktops, on physical machines, virtual machines, and in the cloud. As mentioned before, Ubuntu 14.04 LTS systems must use the Hardware Enablement kernel. Additionally, network access to the Canonical Livepatch Service (https://livepatch.canonical.com:443) and the latest version of snapd (at least 2.15) are needed. | || Ubuntu release || Arch || Kernel Version || Kernel Variants || || Ubuntu 16.04 LTS || 64-bit x86 || 4.4 || GA generic and lowlatency kernel variants only || || Ubuntu 14.04 LTS || 64-bit x86 || 4.4 || [[https://wiki.ubuntu.com/Kernel/LTSEnablementStack|Hardware Enablement kernel]] only || |
Line 11: | Line 10: |
== How to get security notices for Livepatch == | Additionally, network access to the Canonical Livepatch Service (https://livepatch.canonical.com:443) and the latest version of snapd (at least 2.15) are needed. |
Line 13: | Line 12: |
When a Livepatch is released, it is announced as a Kernel Live Patch Security Notice (LSN) in the [[https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce|Ubuntu Security Announcements]] mailing list. If a high/critical Kernel CVE is not able to be livepatched, a LSN notice will still go out to describing why. A normal [[https://usn.ubuntu.com/usn/|Ubuntu security notice]] (USN) will be released with packages along side it. Subscribe to the mailing list to get USN and LSN notifications. | == Security Notices == Livepatch Security Notices (LSN) are only available by subscribing to the [[https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce|Ubuntu Security Announcements]] mailing list. LSNs will be released for: * Announcing a new livepatch. * An alert if a livepatch cannot be released describing why. In that event, a standard [[https://usn.ubuntu.com/usn/|Ubuntu security notice]] (USN) will be released with packages along side it. '''NOTE''' You must subscribe to the mailing list. The USN RSS Feed, CVE tracker, and other services do not know about Livepatch Security Notices. |
Kernel Livepatch
This is a collection of notes and FAQs for the Canonical Livepatch Service. That page has a general introduction, data sheet and the ability to sign up for the service.
System Requirements
Ubuntu release |
Arch |
Kernel Version |
Kernel Variants |
Ubuntu 16.04 LTS |
64-bit x86 |
4.4 |
GA generic and lowlatency kernel variants only |
Ubuntu 14.04 LTS |
64-bit x86 |
4.4 |
Additionally, network access to the Canonical Livepatch Service (https://livepatch.canonical.com:443) and the latest version of snapd (at least 2.15) are needed.
Security Notices
Livepatch Security Notices (LSN) are only available by subscribing to the Ubuntu Security Announcements mailing list. LSNs will be released for:
- Announcing a new livepatch.
An alert if a livepatch cannot be released describing why. In that event, a standard Ubuntu security notice (USN) will be released with packages along side it.
NOTE You must subscribe to the mailing list. The USN RSS Feed, CVE tracker, and other services do not know about Livepatch Security Notices.
FAQ
What kinds of updates will be provided by the Canonical Livepatch Service?
The Livepatch Service intends to address high and critical severity Linux kernel security vulnerabilities, as identified by Ubuntu Security Notices and the CVE tracker. Since there are limitations to the kernel livepatch technology, some Linux kernel code paths cannot be safely patched while running. There may be occasions when the traditional kernel upgrade and reboot might still be necessary.
Kernel/Livepatch (last edited 2021-10-21 19:14:00 by nmavrogiannopoulos)