From fce574dc8521aad077d2b12ed255c57f1f0c2c21 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 18 May 2024 20:32:34 +0200 Subject: Regenerating debian files. Signed-off-by: Daniel Baumann --- .../linux-image-6.7.7-progress7.99-sh7785lcr.NEWS | 83 ++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 debian/linux-image-6.7.7-progress7.99-sh7785lcr.NEWS (limited to 'debian/linux-image-6.7.7-progress7.99-sh7785lcr.NEWS') diff --git a/debian/linux-image-6.7.7-progress7.99-sh7785lcr.NEWS b/debian/linux-image-6.7.7-progress7.99-sh7785lcr.NEWS new file mode 100644 index 0000000000..f8e1fc0229 --- /dev/null +++ b/debian/linux-image-6.7.7-progress7.99-sh7785lcr.NEWS @@ -0,0 +1,83 @@ +linux (5.10.46-4) unstable; urgency=medium + + * From Linux 5.10.46-4, unprivileged calls to bpf() are disabled by + default, mitigating several security issues. However, an admin can + still change this setting later on, if needed, by writing 0 or 1 to + the kernel.unprivileged_bpf_disabled sysctl. + + If you prefer to keep unprivileged calls to bpf() enabled, set the + sysctl: + + kernel.unprivileged_bpf_disabled = 0 + + which is the upstream default. + + -- Salvatore Bonaccorso Mon, 02 Aug 2021 22:59:24 +0200 + +linux (5.10~rc7-1~exp2) unstable; urgency=medium + + * From Linux 5.10, all users are allowed to create user namespaces by + default. This will allow programs such as web browsers and container + managers to create more restricted sandboxes for untrusted or + less-trusted code, without the need to run as root or to use a + setuid-root helper. + + The previous Debian default was to restrict this feature to processes + running as root, because it exposed more security issues in the + kernel. However, the security benefits of more widespread sandboxing + probably now outweigh this risk. + + If you prefer to keep this feature restricted, set the sysctl: + + kernel.unprivileged_userns_clone = 0 + + -- Ben Hutchings Sun, 13 Dec 2020 17:11:36 +0100 + +linux-latest (86) unstable; urgency=medium + + * From Linux 4.13.10-1, AppArmor is enabled by default. This allows + defining a "profile" for each installed program that can mitigate + security vulnerabilities in it. However, an incorrect profile might + disable some functionality of the program. + + In case you suspect that an AppArmor profile is incorrect, see + and + consider reporting a bug in the package providing the profile. The + profile may be part of the program's package or apparmor-profiles. + + -- Ben Hutchings Thu, 30 Nov 2017 20:08:25 +0000 + +linux-latest (81) unstable; urgency=medium + + * From Linux 4.10, the old 'virtual syscall' interface on 64-bit PCs + (amd64) is disabled. This breaks chroot environments and containers + that use (e)glibc 2.13 and earlier, including those based on Debian 7 + or RHEL/CentOS 6. To re-enable it, set the kernel parameter: + vsyscall=emulate + + -- Ben Hutchings Fri, 30 Jun 2017 23:50:03 +0100 + +linux-latest (76) unstable; urgency=medium + + * From Linux 4.8, several changes have been made in the kernel + configuration to 'harden' the system, i.e. to mitigate security bugs. + Some changes may cause legitimate applications to fail, and can be + reverted by run-time configuration: + - On most architectures, the /dev/mem device can no longer be used to + access devices that also have a kernel driver. This breaks dosemu + and some old user-space graphics drivers. To allow this, set the + kernel parameter: iomem=relaxed + - The kernel log is no longer readable by unprivileged users. To + allow this, set the sysctl: kernel.dmesg_restrict=0 + + -- Ben Hutchings Sat, 29 Oct 2016 02:05:32 +0100 + +linux-latest (75) unstable; urgency=medium + + * From Linux 4.7, the iptables connection tracking system will no longer + automatically load helper modules. If your firewall configuration + depends on connection tracking helpers, you should explicitly load the + required modules. For more information, see + . + + -- Ben Hutchings Sat, 29 Oct 2016 01:53:18 +0100 -- cgit v1.2.3