[CentOS] local root exploit

Dag Wieers dag at centos.org
Mon Feb 11 20:16:29 UTC 2008 

On Mon, 11 Feb 2008, jarmo wrote:

> Scott McClanahan kirjoitti viestissään (lähetysaika maanantai, 11. helmikuuta
> 2008):
> > On Mon, 2008-02-11 at 10:45 -0800, Akemi Yagi wrote:
> > > On Feb 11, 2008 8:19 AM, Scott McClanahan <scott.mcclanahan at trnswrks.com>
> wrote:
> > > > On Mon, 2008-02-11 at 04:52 -0800, Michael A. Peters wrote:
> > > > > Valent Turkovic wrote:
> > > > > > I saw that there is a local root exploit in the wild.
> > > > > > http://blog.kagesenshi.org/2008/02/local-root-exploit-on-wild.html
> > > > > >
> > > > > > And I see my centos box still has:  2.6.18-53.1.4.el5
> > > > > >
> > > > > > yum says there are no updates... am I safe?
> > > > > >
> > > > > > Valent.
> > > > >
> > > > > The current kernel is 53.1.6.el5
> > > > >
> > > > > If yum isn't seeing it - it probably needs to clean its cached
> > > > > headers.
> > > > >
> > > > > try:
> > > > >
> > > > > yum clean headers
> > > > > yum update kernel
> > > > >
> > > > > However - the 53.1.6.el5 release also is vulnerable, so you may as
> > > > > well wait for the exploit to be fixed before updating. I'm guessing
> > > > > CentOS will do it fairly quickly after rhel does.
> > > >
> > > > I understand that a known root exploit must be patched but I'm curious
> > > > to know if we upgrade to the fixed kernel once released will it also
> > > > include the degraded nfs performance discussed here:
> > > >
> > > > https://bugzilla.redhat.com/show_bug.cgi?id=431092
> > >
> > > We have to wait and see, but my impression is that the nfs fix would
> > > not be in the updated kernel (I hope I am wrong).  They are talking
> > > about getting it into 5.2 (even possibly into 5.3).  I can see that
> > > this is a problem.  Now, we can not "stay with 53.1.4"  on the systems
> > > where the local root exploit is a serious problem.
> >
> > Yes, until now we had no problem stalling on 53.1.4.  I guess we'll have
> > to test how badly the nfs performance degradation actually is under a
> > heavy load in our environment.
>
> Ofcource there's a way, get vanilla kernel 2.6.24.2 and use old config
> compile it and run. I've done it.

And *poof* you lost all support or reproducability that people crave when
using CentOS or RHEL.

So yes, it is a possibility, but probably unlikely when people have chosen
CentOS or RHEL. And especially for those systems that are considered
production (or important) and that are the most vulnerable you may not
want to do this. (Or maybe instead you need to !)

-- 
--   dag wieers,  dag at centos.org,  http://dag.wieers.com/   --
[Any errors in spelling, tact or fact are transmission errors]

More information about the CentOS mailing list