[CentOS] Possible Kernel user escalation issue for CentOS-6.4
Jake Shipton
jakems at fedoraproject.org
Wed Jul 17 08:04:02 UTC 2013
On Wed, 17 Jul 2013 01:14:50 -0500
Johnny Hughes <johnny at centos.org> wrote:
> On 07/02/2013 04:55 PM, Johnny Hughes wrote:
> > The following kernel has been built while waiting for upstream to
> > release a new kernel that addresses CVE-2013-2224:
> >
> > http://people.centos.org/hughesjr/c6kernel/2.6.32-358.11.1.el6.cve20132224/
> >
> > Please see this upstream bug for details:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=979936
> >
> > =========================
> >
> > Note: This kernel has been minimally tested and is provided as is
> > for people who do not want to wait for the official kernel. It is
> > the standard CentOS kernel with one added patch (
> > https://bugzilla.redhat.com/attachment.cgi?id=767364)
> >
> > This kernel needs to be tested for fitness by each user before being
> > placed in production. It is a best effort to mitigate an issue
> > that can cause local user escalation to root while waiting for
> > upstream to fix and QA the official kernel. Use at your own risk.
> >
>
> There has been a new upstream kernel released
> (kernel-2.6.32-358.14.1.el6.src.rpm) and we have released a testing
> kernel that addresses this issue. Same warnings and bugzilla links
> apply (this is a best effort, use at your own risk, yada yada yada !):
>
> http://people.centos.org/hughesjr/c6kernel/2.6.32-358.14.1.el6.cve20132224/
>
> Thanks,
> Johnny Hughes
>
Thanks for these Johnny much appreciated, I was quite surprised to find
the fix was not in the .14.1 kernel update from upstream.
I guess upstream does not see this as "important" enough.
Regards,
Jake Shipton (JakeMS)
GPG Key: 0xE3C31D8F
GPG Fingerprint: 7515 CC63 19BD 06F9 400A DE8A 1D0B A5CF E3C3 1D8F
More information about the CentOS
mailing list