[CentOS] Re: local root exploit
Scott Silva
ssilva at sgvwater.com
Wed Feb 13 16:28:12 UTC 2008
on 2/13/2008 6:52 AM Johnny Hughes spake the following:
> Akemi Yagi wrote:
>> On Feb 11, 2008 10:52 AM, Scott McClanahan
>> <scott.mcclanahan at trnswrks.com> wrote:
>>>
>>> On Mon, 2008-02-11 at 10:45 -0800, Akemi Yagi wrote:
>>
>>>> We have to wait and see, but my impression is that the nfs fix would
>>>> not be in the updated kernel (I hope I am wrong). They are talking
>>>> about getting it into 5.2 (even possibly into 5.3). I can see that
>>>> this is a problem. Now, we can not "stay with 53.1.4" on the systems
>>>> where the local root exploit is a serious problem.
>>>>
>>>> Akemi
>>
>>> Yes, until now we had no problem stalling on 53.1.4. I guess we'll have
>>> to test how badly the nfs performance degradation actually is under a
>>> heavy load in our environment.
>>
>> Good news! CentOS is going to offer the updated kernel (-53.1.13)
>> with the nfs patch applied -- thanks to Johnny Hughes. Let's wait to
>> hear from him.
>>
>> Akemi
>
> There is a kernel that matches upstream and it is released to the
> centos-5 tree and available via the normal yum updates.
>
> It is patched for this root exploit issue, but the NFS is still broken
> per this bug:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=321111
>
> SO ... there are kernels available here (that you will need to manually
> install) which SHOULD fix this root exploit AND work with NFS:
>
> http://people.centos.org/~hughesjr/kernel/5/
>
> This is a testing kernel ... it seems to work for me and has passed
> testing on several other CentOS servers ... and it has a backported
> patch from the 2.6.18-80.el5 testing upstream RHEL server.
>
> Each person who wants to use this needs to test it first for themselves
> ... if it breaks your machine you get to keep all pieces :D
>
I soo love that last line! I could just imagine someone like Jack Nicholson
saying it in a movie.
--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20080213/95427b15/attachment.sig>
More information about the CentOS
mailing list