Livepatch has fixed kernel vulnerabilities. Or not???
Bo Berglund
bo.berglund at gmail.com
Wed Apr 12 15:32:18 UTC 2023
On Mon, 27 Mar 2023 13:01:33 -0500, Keith <keithw at caramail.com> wrote:
>On 3/27/23 3:01 AM, Bo Berglund wrote:
>> On Sun, 26 Mar 2023 10:50:40 +0200, Bo Berglund <bo.berglund at gmail.com> wrote:
>>
>>> I saw this yesterday when I logged on via SSH to my Ubuntu Server 20.04.6 LTS:
>>>
>>> *** Livepatch has fixed kernel vulnerabilities. System restart recommended on
>>> the closest maintenance window ***
>>>
>>> Today was the possible "maintenance window" so I rebooted the server.
>>>
>>> Now when I log on *after* the reboot I see this greeting:
>>>
>>> -------------
>>> Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-89-generic x86_64)
>>>
>>> System information as of Sun 26 Mar 2023 09:56:23 AM CEST
>>>
>>> System load: 0.04 Users logged in: 0
>>> Usage of /home: 80.1% of 258.81GB IPv4 address for eth0: 192.168.xxx.yyy
>>> Memory usage: 6% IPv4 address for tun0: 10.8.0.1
>>> Swap usage: 0% IPv4 address for tun1: 10.8.139.1
>>> Processes: 247
>>>
>>> Expanded Security Maintenance for Applications is enabled.
>>>
>>> 0 updates can be applied immediately.
>>>
>>> New release '22.04.2 LTS' available.
>>> Run 'do-release-upgrade' to upgrade to it.
>>>
>>>
>>> *** Livepatch has fixed kernel vulnerabilities. System restart recommended on
>>> the closest maintenance window ***
>>> -------------
>>>
>>> What gives?
>>> Do I have to do multiple reboots to get this done, if so why?
>>> Otherwise: What should I do now?
>>>
>>
>> I found this thread about the same issue:
>> https://askubuntu.com/questions/1411986/livepatch-behaviour-and-restart-in
>>
>> It suggests doing this to solve it:
>> apt update && apt full-upgrade -y && sudo reboot
>>
>> But that is exactly what I have done multiple times and the messge still
>> persists! I have rebooted twice to no avail.
>>
>> What is going on and why does it not stop????
>>
>>
>Hi Bo
>
>You can use the pro and/or canonical-livepatch commands to figure out
>what the status is on kernel patches and reboot requirements.
>
>$ pro security-status
$ pro security-status
1261 packages installed:
908 packages from Ubuntu Main/Restricted repository
188 packages from Ubuntu Universe/Multiverse repository
1 package from a third party
164 packages no longer available for download
To get more information about the packages, run
pro security-status --help
for a list of available options.
This machine is attached to an Ubuntu Pro subscription.
Main/Restricted packages are receiving security updates from
Ubuntu Pro with 'esm-infra' enabled until 2030.
Universe/Multiverse packages are receiving security updates from
Ubuntu Pro with 'esm-apps' enabled until 2030. You have received 17 security
updates.
>$ pro system reboot-required
$ pro system reboot-required
no
>$ canonical-livepatch status --verbose
$ canonical-livepatch status --verbose
last check: 8 minutes ago
kernel: 5.4.0-89.100-generic
server check-in: succeeded
kernel state: ? kernel is supported by Canonical.
patch state: ? all applicable livepatch modules inserted
patch version: 92.1
tier: updates (Free usage; This machine beta tests new patches.)
machine id: f604e0e6137f58f8d2b3ebfc5a6fb461
client version: 10.5.3
architecture: x86_64
cpu model: AMD Ryzen 5 3500U with Radeon Vega Mobile Gfx
boot time: 2 weeks ago
fixes:
* cve-2013-1798
Andrew Honig reported a flaw in the way KVM (Kernel-based Virtual
Machine) emulated the IOAPIC. A privileged guest user could exploit
this flaw to read host memory or cause a denial of service (crash the
host).
* cve-2018-25020
LP bug:
.... Here a really long list of stuff I know nothing about ......
* cve-2022-43945
It was discovered that the NFSD implementation in the Linux kernel did
not properly handle some RPC messages, leading to a buffer overflow. A
remote attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code.
># canonical-livepatch refresh downloads and applies kernel patches
>$ canonical-livepatch kernel-upgrade-required; echo $?
>Exit code of 0 means restart is necessary
>Exit code of 1 means restart is not necessary, but recommended at later time
>Exit code of 2 means no restart is necessary.
$ canonical-livepatch kernel-upgrade-required; echo $?
*** Livepatch has fixed kernel vulnerabilities. System restart recommended on
the closest maintenance window ***Kernel upgrade recommended.
1
>Some "turn it off/turn it back on" level things to try:
>1. Disable the livepatch service and reboot. see if motd updates and
>still indicates a system restart. If not, re-enable service and see if
>issue comes back. If a system restart is indicated even with livepatch
>disabled, then the problem is somewhere else.
>$ sudo pro disable/enable livepatch
I cannot easily reboot this system, I have 3 hours on Sunday mornings only
available...
>2. Disable the etc-update-motd-d plugin for the canonical-livepatch snap
>$ sudo snap disconnect canonical-livepatch:etc-update-motd-d --forget
>That should remove
>/etc/update-motd.d/99-livepatch-kernel-upgrade-required script which is
>generating the motd restart message but still leave livepatch enabled.
$ sudo snap disconnect canonical-livepatch:etc-update-motd-d --forget
There is no output, cursor just moves down after some highspeed stuff flashes
and disappears.
>Re-enable the plugin and then logout/login to see if issue persists
>$ sudo snap connect canonical-livepatch:etc-update-motd-d
sudo snap connect canonical-livepatch:etc-update-motd-d
There is no output, again cursor just moves down after some highspeed stuff
flashes and disappears.
Logging in anew still shows the message..
>
>3. check the /var/run/ directory to see if reboot-required and
>reboot-required.pkgs files are in there. Check the pkgs file and see
>what packages are listed. Verify they are installed correctly. The "dpkg
>-V <packagename>" command will help here.
No files starting with reboot are there:
$ ll /var/run/reboot*
ls: cannot access '/var/run/reboot*': No such file or directory
>If there are no reboot files in /var/run, then I'm out of ideas.
>Probably should file a bug against the canonical-livepatch client. Might
>make a inquiry on another venue like Ubuntu Forums, Ubuntu community
>discourse server, or AskUbuntu also.
Or live with it even though it will nag me for reboots that are not needed....
--
Bo Berglund
Developer in Sweden
More information about the ubuntu-users
mailing list