Re: local root exploit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Mon, 11 Feb 2008, jarmo wrote:

> Scott McClanahan kirjoitti viestissään (lähetysaika maanantai, 11. helmikuuta
> 2008):
> > On Mon, 2008-02-11 at 10:45 -0800, Akemi Yagi wrote:
> > > On Feb 11, 2008 8:19 AM, Scott McClanahan <scott.mcclanahan@xxxxxxxxxxxx>
> wrote:
> > > > On Mon, 2008-02-11 at 04:52 -0800, Michael A. Peters wrote:
> > > > > Valent Turkovic wrote:
> > > > > > I saw that there is a local root exploit in the wild.
> > > > > > http://blog.kagesenshi.org/2008/02/local-root-exploit-on-wild.html
> > > > > >
> > > > > > And I see my centos box still has:  2.6.18-53.1.4.el5
> > > > > >
> > > > > > yum says there are no updates... am I safe?
> > > > > >
> > > > > > Valent.
> > > > >
> > > > > The current kernel is 53.1.6.el5
> > > > >
> > > > > If yum isn't seeing it - it probably needs to clean its cached
> > > > > headers.
> > > > >
> > > > > try:
> > > > >
> > > > > yum clean headers
> > > > > yum update kernel
> > > > >
> > > > > However - the 53.1.6.el5 release also is vulnerable, so you may as
> > > > > well wait for the exploit to be fixed before updating. I'm guessing
> > > > > CentOS will do it fairly quickly after rhel does.
> > > >
> > > > I understand that a known root exploit must be patched but I'm curious
> > > > to know if we upgrade to the fixed kernel once released will it also
> > > > include the degraded nfs performance discussed here:
> > > >
> > > > https://bugzilla.redhat.com/show_bug.cgi?id=431092
> > >
> > > We have to wait and see, but my impression is that the nfs fix would
> > > not be in the updated kernel (I hope I am wrong).  They are talking
> > > about getting it into 5.2 (even possibly into 5.3).  I can see that
> > > this is a problem.  Now, we can not "stay with 53.1.4"  on the systems
> > > where the local root exploit is a serious problem.
> >
> > Yes, until now we had no problem stalling on 53.1.4.  I guess we'll have
> > to test how badly the nfs performance degradation actually is under a
> > heavy load in our environment.
>
> Ofcource there's a way, get vanilla kernel 2.6.24.2 and use old config
> compile it and run. I've done it.

And *poof* you lost all support or reproducability that people crave when
using CentOS or RHEL.

So yes, it is a possibility, but probably unlikely when people have chosen
CentOS or RHEL. And especially for those systems that are considered
production (or important) and that are the most vulnerable you may not
want to do this. (Or maybe instead you need to !)

-- 
--   dag wieers,  dag@xxxxxxxxxx,  http://dag.wieers.com/   --
[Any errors in spelling, tact or fact are transmission errors]
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux