[nmglug] Federal agency warns critical Linux vulnerability being actively exploited | Ars Technica

Sam Noble s at mnoble.net
Sun Jun 2 14:21:29 PDT 2024


On Sun, Jun 02, 2024 at 02:05:22PM -0600, Brian O'Keefe wrote:
> Is this a problem for someone like me? Are folks aware of it?
> 
> $ uname -r
> 5.4.0-182-generic
> 
> 
> https://arstechnica.com/security/2024/05/federal-agency-warns-critical-linux-vulnerability-being-actively-exploited/?comments=1&comments-page=1
> 

On a Debian based system, the quick way to check if a given CVE has been
patched for, is to check the changelog of the affected package, only if
it's not mentioned there do you need to check for updates or do more
research.

$ zgrep CVE-2024-1086 /usr/share/doc/linux-image-$(uname -r)/changelog.gz 
    - netfilter: nf_tables: reject QUEUE/DROP verdict parameters (CVE-2024-1086)

When it is there (even if the comment is too cryptic for mortals) you can
_pretty much_ assume that an appropriate patch has been applied. Don't let
upstream version numbers scare you, the security industry and especially
they're press are terrible about communicating how distro patching works.

-- 
sam


More information about the nmglug mailing list