Dag Wieers wrote:
On Mon, 11 Feb 2008, jarmo wrote:
Scott McClanahan kirjoitti viestissään (lähetysaika
maanantai, 11. helmikuuta
2008):
On Mon, 2008-02-11 at 10:45 -0800, Akemi Yagi wrote:
On Feb 11, 2008 8:19 AM, Scott McClanahan
wrote:
On Mon, 2008-02-11 at 04:52 -0800, Michael A. Peters wrote:
Valent Turkovic wrote: > I saw that there is a local root exploit in the wild. >
http://blog.kagesenshi.org/2008/02/local-root-exploit-on-wild.html
> > And I see my centos box still has: 2.6.18-53.1.4.el5 > > yum says there are no updates... am I safe? > > Valent.
The current kernel is 53.1.6.el5
If yum isn't seeing it - it probably needs to clean
its cached
headers.
try:
yum clean headers yum update kernel
However - the 53.1.6.el5 release also is
vulnerable, so you may as
well wait for the exploit to be fixed before
updating. I'm guessing
CentOS will do it fairly quickly after rhel does.
I understand that a known root exploit must be
patched but I'm curious
to know if we upgrade to the fixed kernel once
released will it also
include the degraded nfs performance discussed here:
We have to wait and see, but my impression is that the
nfs fix would
not be in the updated kernel (I hope I am wrong). They
are talking
about getting it into 5.2 (even possibly into 5.3). I
can see that
this is a problem. Now, we can not "stay with 53.1.4"
on the systems
where the local root exploit is a serious problem.
Yes, until now we had no problem stalling on 53.1.4. I
guess we'll have
to test how badly the nfs performance degradation
actually is under a
heavy load in our environment.
Ofcource there's a way, get vanilla kernel 2.6.24.2 and use
old config
compile it and run. I've done it.
And *poof* you lost all support or reproducability that people crave when using CentOS or RHEL.
So yes, it is a possibility, but probably unlikely when people have chosen CentOS or RHEL. And especially for those systems that are considered production (or important) and that are the most vulnerable you may not want to do this. (Or maybe instead you need to !)
Yes, true, but say you are running a shell account system and want to know it isn't vulnerable, can't wait until upstream provides a fix and don't want to run some possibly flaky work-around patch, what then?
I think one needs to weigh the consequences in these scenarios instead of saying it should be all one way or the other.
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.