Major security issue: CVE-2016-5195 / Dirty COW

There is a big security risk in the Linux kernel:

It was fixed with kernel 4.4.26, which is also available in the github repo:

But my local version on my turris and in the package repository is still 4.4.13.

I guess this is kind of urgent. Does anyone know when the updated kernel will be rolled out as binary package?


To cite one important piece of literature: „Don’t panic“. While the flaw is serious and it will be patched, it has somewhat lower impact on your router than on a shared hosting, for example.

The flaw allows an ordinary user to gain administrative privileges. It is a local attack. However, by default, there are no ordinary users on the router in the first place. So you would either have to give some bad guy shell access or the bad guy would need to crack some other service exposed to the Internet to get in first (and, considering TurrisOS being derived from OpenWRT and most things already run with administrative privileges, this attack wouldn’t be needed after that). No services are made available in the default configuration to the outside Internet.

We do take it seriously and we’ll release the fix soon (no concrete schedule is set yet, though), but unless you made some serious changes to the configuration, you’re safe from this problem.

If you really insist on running shared shell hosting on your router, then you could migrate to the nightly branch, however things may (and do) break there, so I won’t post the guide how to do that here.

1 Like