Kernels out of date and vulnerable

[zx2c4]

As of writing, the VC2S boots up to 4.4.38, by default. It can later be changed manually to 4.4.57. This too is out of date; the current kernel from that stable branch is 4.4.59.

However, the later stable branch is 4.9.20. Since the departure of various Scaleway team members, evidently nobody has made this update.

Furthermore, Scaleway ships as the "latest" option the 4.8.14 kernel, which is extremely out of date and should not be used. The actual "latest" option would be 4.10.8.

(The README.md of this repository is also out of date, since it doesn't list any current kernels or mention the C2 line.)

Please see kernel.org for more up to date details on what the latest kernels are as of your reading this message.

---

I reported this to the Scaleway technical support team via the official channel. They informed me that they were not able to handle issues relating to the security of the Scaleway platform and said that the only way to contact you regarding this issue would be by submitting a public ticket here. That seemed rather unprofessional, but even after pushing, they provided no alternative and consistently checked this.

In order to maintain quality of service on Scaleway, I'd advise you to step on the gas pedal again with kernel deployment. Otherwise you'll certainly be loosing at least my business.

[stuffo]

In the meantime you can use these projects to get current vanilla Ubuntu/Arch Kernels on your instance: https://github.com/stuffo/scaleway-archkernel for Arch armv7 Linux and https://github.com/stuffo/scaleway-ubuntukernel for Ubuntu x86_64.

[zx2c4]

Yes, I of course can just kexec into a new kernel, but that's a pretty ugly result at best. Service provider ships vulnerable software, so I have to boot into their vulnerable environment to then execute out of it? I'd rather just get the problem fixed at the root cause, and failing that, switch to a provider who still cares about this kind of thing.

(Alternatively, letting users choose their own PXE scripts would be fine as well.)

---

This ticket regards updating their kernel offerings to ones that are recent and not vulnerable. Let's use this ticket to track that progress.

[stuffo]

Basically I agree. Long-term I would like to see either up-to-date kernels from Scaleway or the ability to use own or distribution supplied kernels. Sadly the use of NBD raises some difficulties. Based on eg. https://github.com/scaleway/kernel-tools/issues/322 I have no big hopes that the situation will change short-term. ;-)

[tbillon]

Sorry about that. I'm working on bumping kernels to the latest releases. Once this is done, we'll try to keep up to date with the official releases as far as possible.

[moul]

Here is a base: https://github.com/scaleway/kernel-tools/pull/339

[tbillon]

We've just released a few kernels: 4.4.59, 4.9.20 and 4.10.8 for both x86 and arm. They're not set by default at the moment but you can change your bootscript to use them.

[zx2c4]

Thanks for doing that. Very much appreciated.

Please do consider setting them as default in the near future, as the existing defaults have known security vulnerabilities.

[stuffo]

can confirm that 4.8.10 works perfect on C1 (Arch). Great job!

[zx2c4]

I received an email because this ticket was closed. However, you may want to reeopen it, because the kernels are already out of date again!

Indeed keeping software up to date is a moving target. I suggest having an easy partially-automated way to bump these from your end, so that you can do version bumps on day 1 without it being a big hassle.

[bchatelard]

You are right, our team is currently working on improving the build and release process.

[zx2c4]

Please do let us know here about your progress. Being in a state of perpetual vulnerability is not a nice situation.