on 2/13/2008 6:52 AM Johnny Hughes spake the following:
Akemi Yagi wrote:
On Feb 11, 2008 10:52 AM, Scott McClanahan scott.mcclanahan@trnswrks.com wrote:
On Mon, 2008-02-11 at 10:45 -0800, Akemi Yagi wrote:
We have to wait and see, but my impression is that the nfs fix would not be in the updated kernel (I hope I am wrong). They are talking about getting it into 5.2 (even possibly into 5.3). I can see that this is a problem. Now, we can not "stay with 53.1.4" on the systems where the local root exploit is a serious problem.
Akemi
Yes, until now we had no problem stalling on 53.1.4. I guess we'll have to test how badly the nfs performance degradation actually is under a heavy load in our environment.
Good news! CentOS is going to offer the updated kernel (-53.1.13) with the nfs patch applied -- thanks to Johnny Hughes. Let's wait to hear from him.
Akemi
There is a kernel that matches upstream and it is released to the centos-5 tree and available via the normal yum updates.
It is patched for this root exploit issue, but the NFS is still broken per this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=321111
SO ... there are kernels available here (that you will need to manually install) which SHOULD fix this root exploit AND work with NFS:
http://people.centos.org/~hughesjr/kernel/5/
This is a testing kernel ... it seems to work for me and has passed testing on several other CentOS servers ... and it has a backported patch from the 2.6.18-80.el5 testing upstream RHEL server.
Each person who wants to use this needs to test it first for themselves ... if it breaks your machine you get to keep all pieces :D
I soo love that last line! I could just imagine someone like Jack Nicholson saying it in a movie.