We envision a future were owning and administering your own personal server is simple and commonplace. This vision naturally arises as more and more people begin to use and advocate distributed and decentralized technologies like Bitcoin and our very own DNSChain. Instead of learning to drive, they’ll learn to administrate a server. 🙂

So, along a similar vein of our previous tutorial for How to update OpenSSL on Debian testing (Jessie) for #Heartbleed, today we’ll show you how to downgrade a Linux kernel so that you can get the patch for the recent deadly-dangerous privilege-escalation vulnerability CVE-2014-3153 if you’re running on a non-stable distribution (or are running one of the latest kernels).

Before we begin, a few important notes

  • Sysadmins should subscribe to the debian-security-announce mailing list to keep up-to-date on the latest security advisories.
  • At the time of this posting you actually have two options: downgrade to kernel version 3.2.57-3+deb7u2 in Debian stable, or upgrade to 3.14.5-1 found in Debian unstable (sid). Either choice is fine, and there may even be reasons to prefer upgrading (systemd works better), but traditionally when such patches are released, they are released for Debian stable first, and so quick-thinking sysadmins will want to know how to grab the updates from stable if they made the mistake of not running Debian stable or if they updated some piece of software from one of the non-stable repos.

The Procedure

Step 1: Change your apt sources to stable (security)

Edit /etc/apt/sources.list, comment out your previous sources and add these:

deb http://http.debian.net/debian/ stable main non-free contrib
deb http://security.debian.org/ stable/updates main contrib non-free
deb http://http.debian.net/debian/ stable-updates main contrib non-free

Then run aptitude update as root.

Step 2: Find the correct kernel version and install it

[root]# aptitude search linux-image
(in our case "linux-image-3.2.0-4-amd64" was appropriate)

[root]# apt-cache policy linux-image-3.2.0-4-amd64
linux-image-3.2.0-4-amd64:
  Installed: 3.2.51-1
  Candidate: 3.2.57-3+deb7u2
  Version table:
     3.2.57-3+deb7u2 0
        500 http://security.debian.org/ wheezy/updates/main amd64 Packages
     3.2.57-3 0
        500 http://http.debian.net/debian/ wheezy/main amd64 Packages
 *** 3.2.51-1 0
        100 /var/lib/dpkg/status

[root]# aptitude install linux-image-3.2.0-4-amd64=3.2.57-3+deb7u2
The following packages will be upgraded: 
  linux-image-3.2.0-4-amd64 
1 packages upgraded, 0 newly installed, 0 to remove and 3 not upgraded.
Need to get 23.4 MB of archives. After unpacking 2,486 kB will be used.
Do you want to continue? [Y/n/?] Y
Get: 1 http://security.debian.org/ wheezy/updates/main linux-image-3.2.0-4-amd64 amd64 3.2.57-3+deb7u2 [23.4 MB]
Fetched 23.4 MB in 1min 54s (205 kB/s)
Reading changelogs... Done
Preconfiguring packages ...

Don’t forget to install the linux kernel headers as well:

# aptitude install linux-headers-3.2.0-4-amd64=3.2.57-3+deb7u2

Step 3: Update grub to boot the new kernel

These instructions are for grub version 2:

  1. Look inside /boot/grub/grub.cfg and find the title of the menuentry for the new kernel. In our case it was Debian GNU/Linux, with Linux 3.2.0-4-amd64
  2. Edit /etc/default/grub and set GRUB_DEFAULT="Debian GNU/Linux, with Linux 3.2.0-4-amd64" (or whatever the title was).
  3. Save the file and run grub-update. Grub will probably complain and tell you to set the title to something else (a very long, more specific string that seems based on either a hash or a UUID). Copy that string and set GRUB_DEFAULT to it, then run grub-update again.

Now you can reboot (or systemctl reboot). After reboot, reset your /etc/apt/sources.list if necessary and run aptitude update again.

To upgrade (instead of downgrading) the kernel, follow the instructions in our previous sysadmin post (modifying as appropriate).

Donating = Loving!
You can empower our work by donating!

Comments