Is UTM 9 affected by CVE-2016-10229?

As far as I know UTM is still based on SLES. Here is their advisory and kernel 3.12.53 and above seems to be fixed. https://www.suse.com/security/cve/CVE-2016-10229/

On my 9.411 install my kernel version is 3.12.58-0.247785862.g17c1041.rb7-smp64

While UTM is based on SLES, the kernel is custom I believe. i.e. Sophos builds and maintains their own kernel with it's own unique build features and tweaks. So, whether or not SLES is vulnerable isn't pertinent.

I can obtain the kernel build options from /boot, however it isn't clear from that whether or not udp.c is patched to remove this vulnerability as it is definitely present in the kernel upstream from SUSE upon which 3.12.58 is based. So, just because the kernel version on UTM 9.441 states the kernel version is > 3.12.53, doesn't mean it is definitely free of this vulnerability. I would hope Sophos would put out info as to the status of UTM vs CVE-2016-10229, especially as a remote code execution vulnerability in the kernel is a big deal.

While UTM is based on SLES, the kernel is custom I believe. i.e. Sophos builds and maintains their own kernel with it's own unique build features and tweaks. So, whether or not SLES is vulnerable isn't pertinent.

I can obtain the kernel build options from /boot, however it isn't clear from that whether or not udp.c is patched to remove this vulnerability as it is definitely present in the kernel upstream from SUSE upon which 3.12.58 is based. So, just because the kernel version on UTM 9.441 states the kernel version is > 3.12.53, doesn't mean it is definitely free of this vulnerability. I would hope Sophos would put out info as to the status of UTM vs CVE-2016-10229, especially as a remote code execution vulnerability in the kernel is a big deal.

You are absolutely correct that only sophos can confirm/deny if the vulnerability exists in their kernel. However I am not sure what you mean by vulnerability is definitely present in 3.12.58 when they patched it in 3.12.53 as 3.12.58 is only supported because of SLES, it seems highly unlikely that they will introduce the vulnerability back in the kernel. https://www.linux.com/news/linux-kernel-312-be-supported-until-2017-because-suse-linux-enterprise-12 

I'd have to agree with Billybob, but why not open a ticket with Sophos Support and report their answer here?

It's not so much that they build their own kernel.  According to what I've been told over the years, they strip a lot of stuff out of what they get from SUSE and run what's left through a lot of tests.  Then, when SUSE fixes something and issues a new release, the developers usually fix the version that they've vetted instead of jumping onto the new SUSE version.  It's not impossible that they offer a fix before SUSE does.  To get a feel for this, check out the Up2Date blog, e.g., UTM Up2Date 9.409 Released.

Cheers - Bob

SUSE may have patched their (SLES') version of 3.12.53, but the generic upstream version of 3.12.53 is vulnerable.

I don't have a support contract with Sophos, else I would have gone to Sophos with this. UTM is used on my home network.

My experience with asking over the last ten years has resulted in no answers that would stimulate me to ask this question.  If anyone else with Sophos Support can open a ticket on this, please let us know the result.

Cheers - Bob