Critical Kernel Bug: The Dirty Pipe Vulnerability

nj

I recently came across this post https://dirtypipe.cm4all.com/. Looks like everyone needs to look at this. What can be done to update the Kernel version, @girish @nebulon ?

Timeline

• 2021-04-29: first support ticket about file corruption

• 2022-02-19: file corruption problem identified as Linux kernel bug, which turned out to be an exploitable vulnerability

• 2022-02-20: bug report, exploit and patch sent to the Linux kernel security team

• 2022-02-21: bug reproduced on Google Pixel 6; bug report sent to the Android Security Team

• 2022-02-21: patch sent to LKML (without vulnerability details) as suggested by Linus Torvalds, Willy Tarreau and Al Viro

• 2022-02-23: Linux stable releases with my bug fix (5.16.11, 5.15.25, 5.10.102)

• 2022-02-24: Google merges my bug fix into the Android kernel

• 2022-02-28: notified the linux-distros mailing list

• 2022-03-07: public disclosure

nebulon

@nj Cloudro relies on Ubuntu LTS versions and security updates are enabled automatically (independent from Cloudron releases). So once the ubuntu securty team updates the kernels, all Cloudrons will get is as well. Since this is a kernel issue, you will likely see some "reboot required" notification in your Cloudron dashboard afterwards.