Dag Wieers wrote: > > On Mon, 11 Feb 2008, jarmo wrote: > > > Scott McClanahan kirjoitti viestissään (lähetysaika > maanantai, 11. helmikuuta > > 2008): > > > On Mon, 2008-02-11 at 10:45 -0800, Akemi Yagi wrote: > > > > On Feb 11, 2008 8:19 AM, Scott McClanahan > <scott.mcclanahan@xxxxxxxxxxxx> > > wrote: > > > > > On Mon, 2008-02-11 at 04:52 -0800, Michael A. Peters wrote: > > > > > > Valent Turkovic wrote: > > > > > > > I saw that there is a local root exploit in the wild. > > > > > > > > http://blog.kagesenshi.org/2008/02/local-root-exploit-on-wild.html > > > > > > > > > > > > > > And I see my centos box still has: 2.6.18-53.1.4.el5 > > > > > > > > > > > > > > yum says there are no updates... am I safe? > > > > > > > > > > > > > > Valent. > > > > > > > > > > > > The current kernel is 53.1.6.el5 > > > > > > > > > > > > If yum isn't seeing it - it probably needs to clean > its cached > > > > > > headers. > > > > > > > > > > > > try: > > > > > > > > > > > > yum clean headers > > > > > > yum update kernel > > > > > > > > > > > > However - the 53.1.6.el5 release also is > vulnerable, so you may as > > > > > > well wait for the exploit to be fixed before > updating. I'm guessing > > > > > > CentOS will do it fairly quickly after rhel does. > > > > > > > > > > I understand that a known root exploit must be > patched but I'm curious > > > > > to know if we upgrade to the fixed kernel once > released will it also > > > > > include the degraded nfs performance discussed here: > > > > > > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=431092 > > > > > > > > We have to wait and see, but my impression is that the > nfs fix would > > > > not be in the updated kernel (I hope I am wrong). They > are talking > > > > about getting it into 5.2 (even possibly into 5.3). I > can see that > > > > this is a problem. Now, we can not "stay with 53.1.4" > on the systems > > > > where the local root exploit is a serious problem. > > > > > > Yes, until now we had no problem stalling on 53.1.4. I > guess we'll have > > > to test how badly the nfs performance degradation > actually is under a > > > heavy load in our environment. > > > > Ofcource there's a way, get vanilla kernel 2.6.24.2 and use > old config > > compile it and run. I've done it. > > And *poof* you lost all support or reproducability that > people crave when > using CentOS or RHEL. > > So yes, it is a possibility, but probably unlikely when > people have chosen > CentOS or RHEL. And especially for those systems that are considered > production (or important) and that are the most vulnerable you may not > want to do this. (Or maybe instead you need to !) Yes, true, but say you are running a shell account system and want to know it isn't vulnerable, can't wait until upstream provides a fix and don't want to run some possibly flaky work-around patch, what then? I think one needs to weigh the consequences in these scenarios instead of saying it should be all one way or the other. -Ross ______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos