[CentOS] local root exploit

jarmo oh1mrr at nic.fi
Mon Feb 11 20:03:24 UTC 2008


Scott McClanahan kirjoitti viestissään (lähetysaika maanantai, 11. helmikuuta 
2008):
> On Mon, 2008-02-11 at 10:45 -0800, Akemi Yagi wrote:
> > On Feb 11, 2008 8:19 AM, Scott McClanahan <scott.mcclanahan at trnswrks.com> 
wrote:
> > > On Mon, 2008-02-11 at 04:52 -0800, Michael A. Peters wrote:
> > > > Valent Turkovic wrote:
> > > > > I saw that there is a local root exploit in the wild.
> > > > > http://blog.kagesenshi.org/2008/02/local-root-exploit-on-wild.html
> > > > >
> > > > > And I see my centos box still has:  2.6.18-53.1.4.el5
> > > > >
> > > > > yum says there are no updates... am I safe?
> > > > >
> > > > > Valent.
> > > >
> > > > The current kernel is 53.1.6.el5
> > > >
> > > > If yum isn't seeing it - it probably needs to clean its cached
> > > > headers.
> > > >
> > > > try:
> > > >
> > > > yum clean headers
> > > > yum update kernel
> > > >
> > > > However - the 53.1.6.el5 release also is vulnerable, so you may as
> > > > well wait for the exploit to be fixed before updating. I'm guessing
> > > > CentOS will do it fairly quickly after rhel does.
> > >
> > > I understand that a known root exploit must be patched but I'm curious
> > > to know if we upgrade to the fixed kernel once released will it also
> > > include the degraded nfs performance discussed here:
> > >
> > > https://bugzilla.redhat.com/show_bug.cgi?id=431092
> >
> > We have to wait and see, but my impression is that the nfs fix would
> > not be in the updated kernel (I hope I am wrong).  They are talking
> > about getting it into 5.2 (even possibly into 5.3).  I can see that
> > this is a problem.  Now, we can not "stay with 53.1.4"  on the systems
> > where the local root exploit is a serious problem.
> >
> > Akemi
> >
> > Akemi
>
> Yes, until now we had no problem stalling on 53.1.4.  I guess we'll have
> to test how badly the nfs performance degradation actually is under a
> heavy load in our environment.

Ofcource there's a way, get vanilla kernel 2.6.24.2 and use old config
compile it and run. I've done it.

Jarmo





More information about the CentOS mailing list