We envision a future were owning and administering your own personal server is simple and commonplace. This vision naturally arises as more and more people begin to use and advocate distributed and decentralized technologies like Bitcoin and our very own DNSChain. Instead of learning to drive, they’ll learn to administrate a server. 🙂
So, along a similar vein of our previous tutorial for How to update OpenSSL on Debian testing (Jessie) for #Heartbleed, today we’ll show you how to downgrade a Linux kernel so that you can get the patch for the recent deadly-dangerous privilege-escalation vulnerability CVE-2014-3153 if you’re running on a non-stable distribution (or are running one of the latest kernels).
Before we begin, a few important notes
- Sysadmins should subscribe to the debian-security-announce mailing list to keep up-to-date on the latest security advisories.
- At the time of this posting you actually have two options: downgrade to kernel version 3.2.57-3+deb7u2 in Debian stable, or upgrade to 3.14.5-1 found in Debian unstable (sid). Either choice is fine, and there may even be reasons to prefer upgrading (systemd works better), but traditionally when such patches are released, they are released for Debian stable first, and so quick-thinking sysadmins will want to know how to grab the updates from stable if they made the mistake of not running Debian stable or if they updated some piece of software from one of the non-stable repos.
Step 1: Change your apt sources to stable (security)
/etc/apt/sources.list, comment out your previous sources and add these:
deb http://http.debian.net/debian/ stable main non-free contrib deb http://security.debian.org/ stable/updates main contrib non-free deb http://http.debian.net/debian/ stable-updates main contrib non-free
aptitude update as root.
Step 2: Find the correct kernel version and install it
[root]# aptitude search linux-image (in our case "linux-image-3.2.0-4-amd64" was appropriate) [root]# apt-cache policy linux-image-3.2.0-4-amd64 linux-image-3.2.0-4-amd64: Installed: 3.2.51-1 Candidate: 3.2.57-3+deb7u2 Version table: 3.2.57-3+deb7u2 0 500 http://security.debian.org/ wheezy/updates/main amd64 Packages 3.2.57-3 0 500 http://http.debian.net/debian/ wheezy/main amd64 Packages *** 3.2.51-1 0 100 /var/lib/dpkg/status [root]# aptitude install linux-image-3.2.0-4-amd64=3.2.57-3+deb7u2 The following packages will be upgraded: linux-image-3.2.0-4-amd64 1 packages upgraded, 0 newly installed, 0 to remove and 3 not upgraded. Need to get 23.4 MB of archives. After unpacking 2,486 kB will be used. Do you want to continue? [Y/n/?] Y Get: 1 http://security.debian.org/ wheezy/updates/main linux-image-3.2.0-4-amd64 amd64 3.2.57-3+deb7u2 [23.4 MB] Fetched 23.4 MB in 1min 54s (205 kB/s) Reading changelogs... Done Preconfiguring packages ...
Don’t forget to install the linux kernel headers as well:
# aptitude install linux-headers-3.2.0-4-amd64=3.2.57-3+deb7u2
Step 3: Update grub to boot the new kernel
These instructions are for grub version 2:
- Look inside `/boot/grub/grub.cfg` and find the title of the `menuentry` for the new kernel. In our case it was `Debian GNU/Linux, with Linux 3.2.0-4-amd64`
- Edit `/etc/default/grub` and set `GRUB_DEFAULT=”Debian GNU/Linux, with Linux 3.2.0-4-amd64″` (or whatever the title was).
- Save the file and run `grub-update`. Grub will probably complain and tell you to set the title to something else (a very long, more specific string that seems based on either a hash or a UUID). Copy that string and set GRUB_DEFAULT to it, then run `grub-update` again.
Now you can
systemctl reboot). After reboot, reset your
/etc/apt/sources.list if necessary and run
aptitude update again.
To upgrade (instead of downgrading) the kernel, follow the instructions in our previous sysadmin post (modifying as appropriate).
Donating = Loving!
You can empower our work by donating!