[CentOS] local root exploit

kfx kadafax at gmail.com
Tue Feb 12 16:40:26 UTC 2008


Johnny Hughes wrote:
> kfx wrote:
>> R P Herrold wrote:
>>> On Mon, 11 Feb 2008, kfx wrote:
>>>
>>>> The official patch for debian is out since a couple of hours...
>>>> Why does it take so long for RHEL ? Just a question, not a troll or 
>>>> something.
>>>
>>> 1. ask them
>> it was a question, not a troll (bis).
>
> However, you are asking the wrong people ... we have no idea.
>
> Also ... it *_IS_* trolling (or at least certainly silly) to post that 
> Debain had the patch and RHEL doesn't ... so let's make RHEL be 
> Debain.  Fedora also has the patch released and RHEL doesn't ... I 
> don't want RHEL to be Fedora either.
hu ?
Well you are right, my question was a bit silly but this thread was 
closed (for me at least) yesterday with Mr Van Dolson's last 
intervention. Why do you come out now from nowhere like "hey troll 
spotted! you are silly" or what ?
It's just that it is a hard time for rhel, the 1.6 NFS issue then this 
one. And now we are going to have to choice between being exploitable or 
a decent nfs support.

>
> Maybe you are using the wrong distro ... I want stable kernels on my 
> servers, so I'll take the extra day of testing.  For people who do not 
> want stable and tested software, switch distros.
And the "change distro" speech is quite puerile, you think we all have 
the choice ? or that we can switch dozen of servers like this ?
I can imagine that this exploit is not dramatic for a lot of people. But 
in certain case, like in scholar environment, where we have a lot of 
untrusted user's accounts, something like this IS problematic.
>
> [...]
>
> Rest assured that as soon as the upstream people have a patch, so will 
> the CentOS team.  
And thank you for your work.
> However, we are not going to rush a non tested patch out the door.  
> There are patches listed on the upstream bug, if you (figurative ... 
> meaning anyone who wants to not wait) really want to integrate that 
> into your own kernels in the interim then please do.
I did, for the record: http://people.redhat.com/dzickus/el5/
BEWARE that it will remove ALL the older kernels.

Regards,
kfx
>
> Thanks,
> Johnny Hughes
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>   




More information about the CentOS mailing list