Dear,
Will you be supplying a hotfix for the Dirty COW vulnerability?
Current plan is for it to be fixed in the October update which should be out in the next couple of weeks.
Why wait till the October update itās an important kernel update,update promises to patch a total of four Linux kernel security vulnerabilities.
1 Like
OSMC is a Multimedia Center that is not suppose to be exposed to the internet. So I doubt that any of that security vulnerabilities would be a major thread.
1 Like
Root is pretty loose as it is, its not hard to gain root on OSMC so patching wont make that much difference.
and October fix will roll out soon enough anyways.
1 Like
If the exposure is too much for you, unplug your pi until we publish the update!
Otherwise, submit an appropriate pull request to our Github since you are obviously such a charitable person with no limits on your time, ability, and resources.
1 Like
Quite an strange answer from an Team member,your assumptions and attitude should not be allowed,so pay attention at what you write,and pick up this more seriously.
2 Likes
@puk78 its in the works (spoke to sam about it yesterday), its the 22 oct and OSMC usually publish in end of the month so its not that far away.
also see my previous post about root access, the dirty cow exploit attack vector is more aimed at closed systems not at mediacenters.
There you have a point.
On my other RaspberryPiās i already run the patch that brings me to 4.4.26+ sudo rpi-update
committed by popcornmix
Patch
I think stating that a Raspberry Pi/HTPC shouldnāt be exposed to the internet is an invalid statement, however I do agree that itās a best practice not to do so. Personally, I have SSH port-forwarded on my router, as well as the Transmission web interface.
SSH for remote debugging if anyone from home calls that it isnāt working as expected. A simple reboot of the mediacenter usually fixes most problems, so itās useful to be able to do this remotely. Moreover, with a Safari extension Iām able to add magnet links to the Transmission UI as soon as I see a nice trailer or whatever.
So yet again, I do agree that itās better not to do so, but itās not a valid statement saying that it simply isnāt supposed to be exposed and that a solution would be just to unplug it. Lastly, any security bug should be fixed for the end-userās sake. I think itās up to the end-user to decide what they want to do with their OS/Device, but a responsibility of the OS manufacturer to timely publish hotfixes/updates for (serious) vulnerabilities.
There will be a fix in the staging repository today, with devices receiving the update via the normal channel by the end of the month
1 Like
Thanks, will be changing the apt repo to ādeb http://apt.osmc.tv jessie-devel mainā @sam_nazarko
just changed the /etc/apt/sources.list, sudo apt-get update && sudo apt-get upgrade. Reboot gave me a long hex dump. Had to unplug the cable to get it back up. Dirty COW fix probably wasnāt in the repo yet (as you mentioned, ātodayā), as itās still vulnerable after the reboot. Did find the fix in the raspberry github repo tho. Was hoping it would already be available.
The packages will be in the repository today.
BTW, do not run apt-get upgrade, you will break your system
why will it break the system?
You should always run apt-get dist-upgrade.
The kernel has been updated in the following commit:
The builds will shortly be available in the repository and they are scheduled via Jenkins.
ran āsudo apt-get update && sudo apt-get dist-upgradeā. Prompted me to reboot and install on tv. After reboot, still vulnerable. Also got an error on the splash image on boot, saying that it canāt find it. @sam_nazarko
uname -r
4.4.16-7-osmc
Youāre on the staging repository which will have experimental changes that are not released or necessarily ready for public use.
As explained, the new kernel has been scheduled for Jenkins. As there are kernels to build for Pi1, Pi2, Vero1, Vero2, AppleTV and we have limited build resources, it will take a few hours.
Be patient.
Ah, okay. Presumed that since there were updates available that stated ākernelā that it would be included.
If you run that command, you will be pulling updates from all repositories you have added, including the Debian one. That may not necessarily include OSMC updates
If you did run apt-get upgrade, you will need to reinstall your system. I have added a warning to prevent people running this in the future