From Phoronix's article: To patch your Kernels: https://git.kernel.org/cgit/linux/k.../?id=84ac7260236a49c79eede91617700174c2c19b0c
I only mentioned Arch above because some distros havent compiled a kernel with the latest patch nor obviously thus pushed such a kernel for updates. Debian doesnt have it listed on their security advisory page yet (latest advisory is from 12-1-2016), and the latest kernel I see listed online was built 10-19-2016 (same as whats installed in Whonix). Perhaps I've missed where Debian has it listed (I'll have to look tomorrow and alert them if I see nothing), but for certain Whonix lists up-to-date according to APT despite no fix to this problem. Whonix mostly uses Debian anyways... Its been interesting using Debian and Arch side by side- sometimes Arch beats Debian to the punch with security updates and sometimes its the other way around. This is one area where Qubes really kills it- even if a TemplateVM takes forever to get a serious vulnerability patched, it doesnt really matter- as long as no Xen vulns are present, a root shell within an AppVM wont really do much good (assuming you properly compartmentalize what data you have on each domain). Anyways, Ill post up here when I finally get a fix on Debian/Whonix...
Debian is not affected as unprivileged user namespaces are disabled by default. The same is true for Arch btw.
To be honest I don't remember seeing Arch push security updates at all, they push all upstream updates but that's it If upstream patched the security hole then yes, we'll probably get it sooner than Debian. On the other side Debian has a dedicated security team which can push things faster than upstream sometimes.
Are you sure? It says "Vulnerable" for every Kernel since Wheezy which is from 2011, the same year this vulnerability has been introduced in Linux.
Yes, the kernels are affected but that vulnerability is not usable. It's also mentioned in that Red Hat link in your post: The same is true for Debian and Arch. EDIT: Btw, Firejail also protects against this vulnerability in all sandboxed applications with profiles where caps.drop=all is used.