Update kernel and patch Dirty COW (CVE-2016-5195)

[ageis]

The Linux kernel that runs on SecureDrop servers (3.14.48) is overdue for an update; not only is 3.14 EOL'd, but it's vulnerable to a critical privilege escalation vulnerability. Specifically, a race condition in the memory subsystem can allow an unprivileged local user to gain superuser write access and escalate privileges.

[conorsch]

We're working on this. See freedomofpress/ansible-role-grsecurity#80 for EOL updates, moving Trusty kernels over to the 4.x series.

#1245 is creating complications in the automatic updates strategy, so we may need to patch the Ubuntu overlay scripts to set the required PaX flags.

[psivesely]

We are beginning testing on a new 3.14.Z kernel in an effort to get a new kernel out as fast as possible (rather than switching to the 4.4.Z series immediately, which could cause roadblocks, though we do intend to switch over in the near future). The latest stable series grsec patch includes f9284652b2a1be37e57d9bad3024d27969399d40 from upstream, which fixes "Dirty COW."

[conorsch]

We published new kernel images based on 3.14.79 (including Dirty COW mitigations via grsecurity patches, as @fowlslegs mentioned) yesterday. All existing instances should have upgraded automatically by now. If you have any trouble, contact us at [email protected].