Recently several WLAN security bugs were fixed in the linux kernel (oss-sec list, phoronix). This service pack brings related CVE patches to all devices in postmarketOS stable.
Usually service packs are for carrying features over from edge to stable, and security fixes are backported directly to stable without waiting for a service pack. However this time the fix was not a trivial patch (like the one for dirtypipe), and we decided to just upgrade the kernel to version 6.0.2 where possible. This needed additional time for packaging and testing, and it made sense to bundle this all in a service pack and have a proper announcement around it. So here we are!
As of writing, 6.0.3 is out already. But this is fine, the point is to bring a version we tested on the devices to stable, it doesn't need to be the very latest one as long as the important security bugs are fixed in the release we ship (in this case the WLAN CVEs, which are fixed in 6.0.2).
Contents
- linux-postmarketos-allwinner: upgrade to 6.0.2_git20221017-r1
- Used by pinephone, pinetab
- linux-purism-librem5: add wifi CVE backports
- linux-pine64-pinephonepro: add wifi CVE backports
- linux-postmarketos-exynos4: upgrade to 6.0.2
- Used by samsung-m0
- linux-postmarketos-omap: new aport (6.0.2)
- Used by samsung-espresso-3g
- linux-postmarketos-qcom-msm8916: upgrade to 6.0.2
- Used by arrow-db410c, bq-paella, lenovo-a6000, lenovo-a6010, motorola-harpia, samsung-a3, samsung-a5, samsung-gt510, samsung-gt58, samsung-serranove, wileyfox-crackling, xiaomi-wt88047
- linux-postmarketos-qcom-msm8996: upgrade to 6.0.2
- Used by xiaomi-scorpio
- linux-postmarketos-qcom-sdm845: upgrade to 5.19.16
- Used by oneplus-enchilada, oneplus-fajita, shift-axolotl, xiaomi-beryllium
- linux-postmarketos-rockchip: upgrade to 6.0.2
- Used by pinebookpro, rockpro64
- linux-asus-me176c: upgrade to 5.4.219
- linux-odroid-hc2: add wifi CVE backports
- linux-nokia-n900: downgrade to 5.15.74
- Yes, this is actually a downgrade. The N900 was on 5.18.1 before, which is EOL. On the other hand, 5.15 is a longterm release and received the CVE fixes. Upgrading to a higher version is currently not possible until a USB regression is figured out (pma#1761).
Refer to the devices wiki page for looking up codenames and details on each device.
How to get it
Find the most recent images at our download page. Existing users of the v22.06 release will receive this service pack automatically on their next system update. If you read this blog post right after it was published, it may take a bit until binary packages and new images are available.
Thanks to everybody who made this possible, especially our amazing community members and upstream projects.