[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#911750: Race condition in d-i leading to kernel from security.debian.org to be kept back

On Wed, 2018-10-24 at 12:05 +0200, Raphaël Halimi wrote:
> Package: debian-installer
> Version: 20170615+deb9u4
> Hi,
> I just noticed a race condition in d-i, which may lead to a mild
> security risk.
> When the kernel metapackage (linux-image-<arch>) is initially installed,
> APT doesn't install recommended packages, and security.debian.org
> repository is not configured yet, so the installer naturally fetches the
> latest kernel from the core suite. After APT configuration, and other
> repositories and suites are available, debian-installer runs an upgrade;
> but if a newer version of linux-image-<arch> is found in one of those
> newly available repositories (security.debian.org in this case), it's
> not installed because APT refuses to install the recommended packages
> (firware-linux-free, irqbalance) to satisfy dependencies, so the kernel
> metapackage is kept back.

I'm fairly sure it's the ABI bump in the kernel that prevents
upgrading, not the recommended packages.  This is tracked as #908711.


> It won't be installed until the admin runs an upgrade manually, once the
> system is booted. This may put it at risk during a certain period of
> time between the first boot, and the first upgrade (and reboot).
> Regards,
Ben Hutchings
Never put off till tomorrow what you can avoid all together.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: