Releasing Whonix with newer kernels

Did you consider shipping Whonix with newer kernels quarterly? Running older kernels are easier to attack and escalate privileges.

There is no privacy without security.

Some journalists and users might not know how to upgrade kernels. I can give you a few examples.

Vulnerability against the browser 1 year ago:
thehackernews dot com/2024/08/0000-day-18-year-old-browser.html
Social engineering

LPEs
github dot com/lrh2000/StackRot
github dot com/Notselwyn/CVE-2024-1086
bleepingcomputer dot com/news/security/cisa-warns-of-attackers-exploiting-linux-flaw-with-poc-exploit/

All nation state actors need is an exploit against the browser or social engineer, escalate privileges and a VM escape exploit. Which some journalists are targets of.

Running newer kernels can stop some of them. Maybe you could do something like the Ubuntu LTS release schedule with new kernel updates.

1 Like

At time of writing, after 13 years of history [1], it’s going to be hard to suggest things which have not been suggested without creating duplicates.

[1]

1 Like

I know that it has been suggested before that is why you should do it.

Why dont you want to improve security for your users when you can? There are users that are not tech savvy enough to do it or do not even know it.

This can land a journalist in jail or even kill them, when they find out where they live. Mitigating some attack vectors helps.

It is very serious.

1 Like

Reasons:

  • Technical challenges.
    • See prior discussions in links provided in my previous post.
  • What can be done manually by advanced users, cannot necessarily be done by a Linux distribution.
    • If this was a no-brainer, this would be Debian’s default. It isn’t for technical reasons.
  • maintainability
  • Kicksecure Stable Version User Experience
1 Like

I guess the main issue is that Whonix is based on Debian stable which is a distribution with a pretty conservative release policy. Each package in Debian stable repository is being tested for month and years before it is released. So, if a user wants to run a newer kernel, he can visit

https://www.kernel.org

Donwload the newest Linux kernel tarball, build the kernel and install it manually. It is not always needed though because on Linux hosts, newer kernel versions often don’t support VirtualBox kernel module. As for guest OS, Whonix is secure by design which means any Workstation with any kernel version is safe.

1 Like