Home / ubuntu / Questions / 740735
Accepted
Kalamalka Kid
Asked: 2016-03-02 00:49:46 +0800 CST

does rolling back the kernel in Ubuntu compromise security

  • 772

I recently updated my kernel, and noticed that it was affecting my graphics drivers. As a quick fix I rolled back the driver , but would like to know if this affects my system security in any way?

Using 64 bit Ubuntu 14.04 - 3.19.0-47-generic

kernel

2 Answers

  1. Best Answer

    It does not affect your security any more as staying with that old version would have done.

    The rollback does not do anything special.

    To find out whether the specific update you rolled back or omitted contains severe security patches, look at the changelog of that version you rejected. Therefore visit http://changelogs.ubuntu.com/changelogs/pool/main/l/linux/ and select the respective version directory, then open the changelog file and examine it:

    It will contain sections starting with the kernel update version as headline. Those below are the first two sections of the changelog of 4.2.0-30.36 as example:

    linux (4.2.0-30.36) wily; urgency=high

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1550037

  [ Upstream Kernel Changes ]

  * drm/vmwgfx: Fix an fb unlocking bug
    - LP: #1548587

 -- Kamal Mostafa <[email protected]>  Thu, 25 Feb 2016 15:02:05 -0800

linux (4.2.0-30.35) wily; urgency=low

  [ Seth Forshee ]

  * SAUCE: cred: Add clone_cred() interface
    - LP: #1531747, #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Use mounter's credentials instead of selectively
    raising caps
    - LP: #1531747, #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.*
    xattrs
    - LP: #1531747, #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Be more careful about copying up sxid files
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576

 -- Luis Henriques <[email protected]>  Fri, 19 Feb 2016 10:25:02 +0000

[...many more lines...]

    As you can see, each changelog contains all previous changelogs as well. The latest changes are on the top. Just take a look at the first line, the headline of the most recent change:

    linux (4.2.0-30.36) wily; urgency=high

    You notice the urgency=high? That means it's an important security update which you should not omit if the system is attackable (which all systems connected to a public network or using removable media are) and you care for security.

    Of course you must check that for your own specific kernel version, as I don't know it. You find the running kernel version using uname -r, or the exact version (including the number after the .) using apt-cache policy linux-image-generic.

    • 6

  2. I will second Byte Commander's answer above, and add two basic points of simplification for those who may be confused by all the code / changelog references:

    1. As I understand it, not all security updates are kernel dependent. As packages are updated, sometimes security updates are made to individual packages instead of the kernel itself. Even if you roll back your kernel, you're still getting the benefits of new security updates for those packages.
    2. It really depends on your specific kernel, the kernel you're rolling back to, any system-wide changes or additions you may have made, and the existing security of the other software / hardware you're using, including your network. When a major security update is made to a kernel, it may or may not apply on all hardware or on all networks / network types. Obviously, sometimes, major security holes are fixed that apply on all or almost all systems, but as Byte Commander said, the best thing to do is to read the relevant release notes / changelogs to find out if this applies to you.
    • 2