back to article 'Now' would be the right time to patch Ubuntu container hosts and ditch 21.04 thanks to heap buffer overflow bug

The CVE-2022-0185 vulnerability in Ubuntu is severe enough that Red Hat is also advising immediate patching. The flaw allows a process inside a Linux user namespace to escape, which means it potentially affects any machine running containers. If you're not running any containers, you can just disable the user-namespace …

  1. Tom 7 Silver badge

    21.04 LTS

    Shirley the LTS says it gets security updates for a mere 10 years.

    1. MrBanana Silver badge

      Re: 21.04 LTS

      They are every two years, and the most recent LTS release is 20.04.3. The next one is just around the corner in April.

      1. Tom 7 Silver badge

        Re: 21.04 LTS

        And my eye tests used to be every year but now further apart than LTSes!

      2. sw guy

        Re: 21.04 LTS

        BTW, I read that 20.04 is also affected…

        1. Swarthy Silver badge
          Alert

          Re: 21.04 LTS

          That's a little concerning, as the four most recent Mint (one of the most popular Linux Distros) versions are based on 20.04.

    2. thames

      Re: 21.04 LTS

      There is no 21.04 LTS. 21.04 is not an LTS version.

  2. TJ1
    Go

    Not distro specific; Linux kernel before v5.16.2

    Distros will be backporting the fix from mainline [0] and/or the v5.16.2 stable tree [1]

    author Jamie Hill-Daniel <jamie@hill-daniel.co.uk> 2022-01-18 08:06:04 +0100

    committer Linus Torvalds <torvalds@linux-foundation.org> 2022-01-18 09:23:19 +0200

    vfs: fs_context: fix up param length parsing in legacy_parse_param The "PAGE_SIZE - 2 - size" calculation in legacy_parse_param() is an unsigned type so a large value of "size" results in a high positive value instead of a negative value as expected. Fix this by getting rid of the subtraction.

    [0] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=722d94847de29310e8aa03fcbdb41fc92c521756

    [1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.16.2&id=8b1530a3772ae5b49c6d8d171fd3146bb947430f

    1. Swarthy Silver badge

      Re: Not distro specific; Linux kernel before v5.16.2

      So upgrading to kernel 5.16.2 will fix the issue? That's good to know.

  3. fredesmite2

    WTF

    why are you posting this shit on public web sites ?

    you don't need to be promoting this to hackers .

    CVE's are fixed EVERYDAY in Linux .

    1. Synkronicity

      Re: WTF

      lol yikes, you think hackers don't do their research independent of the news? You think the people responsible for patching the "CVEs that are fixed EVERYDAY in Linux" shouldn't be made aware of something without trawling CVE directories, mailing lists, and Twitter? Delete your post, you special person.

    2. NoKangaroosInAustria

      Re: WTF

      Sounds like you are advocating for security through obscurity. Well I hate to be the one to break it to you, but we've known since as far back as the 1850's that that doesn't work.

  4. Zadir

    Not an Ubuntu vulnerability

    This CVE is in the kernel, please correct the information so every one that uses the combination of kernel/F.S. affected can take action in order to mitigate/fix the issue.

    https://access.redhat.com/security/cve/CVE-2022-0185

  5. TrevorH

    Still not patched in CentOS Stream

    so much for Red Hat's promise to keep CentOS Stream up to date and free of exploits then...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022