On Wed, 2018-10-24 at 12:05 +0200, Raphaël Halimi wrote: > Package: debian-installer > Version: 20170615+deb9u4 > > Hi, > > I just noticed a race condition in d-i, which may lead to a mild > security risk. > > When the kernel metapackage (linux-image-<arch>) is initially installed, > APT doesn't install recommended packages, and security.debian.org > repository is not configured yet, so the installer naturally fetches the > latest kernel from the core suite. After APT configuration, and other > repositories and suites are available, debian-installer runs an upgrade; > but if a newer version of linux-image-<arch> is found in one of those > newly available repositories (security.debian.org in this case), it's > not installed because APT refuses to install the recommended packages > (firware-linux-free, irqbalance) to satisfy dependencies, so the kernel > metapackage is kept back. I'm fairly sure it's the ABI bump in the kernel that prevents upgrading, not the recommended packages. This is tracked as #908711. Ben. > It won't be installed until the admin runs an upgrade manually, once the > system is booted. This may put it at risk during a certain period of > time between the first boot, and the first upgrade (and reboot). > > Regards, > -- Ben Hutchings Never put off till tomorrow what you can avoid all together.
Description: This is a digitally signed message part