Livepatch
4309
Comment:
|
3906
|
Deletions are marked like this. | Additions are marked like this. |
Line 26: | Line 26: |
== Common Issues == There have been some common issues reported with Canonical Livepatch, some that are bugs others that are decisions taken for a list of reasons. If these are bugs these issues have been brought up with the developers already and a bug has been filed against the appropriate application or package. If these are decisions taken then the information provided is to allow you to decide if you would like it or not. This is a place to keep up to date on any temporary fixes until the developers are able to fix the issue. |
== CommonIssues == This part describes known issues with Canonical Livepatch Service. === Secure Boot === === Tanned Kernel === |
Kernel Livepatch
This is a collection of notes and FAQs for the Canonical Livepatch Service. That page has a general introduction, data sheet and the ability to sign up for the service.
System Requirements
Ubuntu release |
Arch |
Kernel Version |
Kernel Variants |
Ubuntu 18.04 LTS |
64-bit x86 |
4.15 |
GA generic and lowlatency kernel variants only |
Ubuntu 16.04 LTS |
64-bit x86 |
4.4 |
GA generic and lowlatency kernel variants only |
Ubuntu 14.04 LTS |
64-bit x86 |
4.4 |
Additionally, network access to the Canonical Livepatch Service (https://livepatch.canonical.com:443) and the latest version of snapd (at least 2.15) are needed.
Security Notices
Livepatch Security Notices (LSN) are only available by subscribing to the Ubuntu Security Announcements mailing list. LSNs will be released for:
- Announcing a new livepatch.
- An alert if a livepatch cannot be released describing why and possible mitigation notes.
a standard Ubuntu security notice (USN) will be released with packages along side it to fix the issue.
- the livepatch client will start issuing a warning that an update and reboot is necessary.
NOTE You must subscribe to the mailing list. The USN RSS Feed, CVE tracker, and other services do not know about Livepatch Security Notices.
CommonIssues
This part describes known issues with Canonical Livepatch Service.
Secure Boot
Tanned Kernel
FAQ
What kinds of updates will be provided by the Canonical Livepatch Service?
The Livepatch Service intends to address high and critical severity Linux kernel security vulnerabilities, as identified by Ubuntu Security Notices and the CVE tracker. Since there are limitations to the kernel livepatch technology, some Linux kernel code paths cannot be safely patched while running. There may be occasions when the traditional kernel upgrade and reboot might still be necessary.
How do you rate a CVE?
We do not use an external rating system, but rate based on these qualifications:
negligible |
Something that is technically a security problem, but is only theoretical in nature, requires a very special situation, has almost no install base, or does no real damage. These tend not to get backport from upstreams, and will likely not be included in security updates unless there is an easy fix and some other issue causes an update. |
low |
Something that is a security problem, but is hard to exploit due to environment, requires a user-assisted attack, a small install base, or does very little damage. These tend to be included in security updates only when higher priority issues require an update, or if many low priority issues have built up. |
medium |
Something is a real security problem, and is exploitable for many people. Includes network daemon denial of service attacks, cross-site scripting, and gaining user privileges. Updates should be made soon for this priority of issue. |
high |
A real problem, exploitable for many people in a default installation. Includes serious remote denial of services, local root privilege escalations, or data loss. |
critical |
A world-burning problem, exploitable for nearly all people in a default installation of Ubuntu. Includes remote root privilege escalations, or massive data loss. |
azzar1/Kernel/Livepatch (last edited 2019-01-29 15:51:42 by azzar1)