[CentOS] local root exploit
Johnny Hughes
johnny at centos.org
Wed Feb 13 14:52:51 UTC 2008
Akemi Yagi wrote:
> On Feb 11, 2008 10:52 AM, Scott McClanahan
> <scott.mcclanahan at trnswrks.com> wrote:
>>
>> On Mon, 2008-02-11 at 10:45 -0800, Akemi Yagi wrote:
>
>>> We have to wait and see, but my impression is that the nfs fix would
>>> not be in the updated kernel (I hope I am wrong). They are talking
>>> about getting it into 5.2 (even possibly into 5.3). I can see that
>>> this is a problem. Now, we can not "stay with 53.1.4" on the systems
>>> where the local root exploit is a serious problem.
>>>
>>> Akemi
>
>> Yes, until now we had no problem stalling on 53.1.4. I guess we'll have
>> to test how badly the nfs performance degradation actually is under a
>> heavy load in our environment.
>
> Good news! CentOS is going to offer the updated kernel (-53.1.13)
> with the nfs patch applied -- thanks to Johnny Hughes. Let's wait to
> hear from him.
>
> Akemi
There is a kernel that matches upstream and it is released to the
centos-5 tree and available via the normal yum updates.
It is patched for this root exploit issue, but the NFS is still broken
per this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=321111
SO ... there are kernels available here (that you will need to manually
install) which SHOULD fix this root exploit AND work with NFS:
http://people.centos.org/~hughesjr/kernel/5/
This is a testing kernel ... it seems to work for me and has passed
testing on several other CentOS servers ... and it has a backported
patch from the 2.6.18-80.el5 testing upstream RHEL server.
Each person who wants to use this needs to test it first for themselves
... if it breaks your machine you get to keep all pieces :D
I will also be rolling this same NFS patch into the centosplus kernel
for centos-5 which is currently building.
Thanks,
Johnny Hughes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20080213/9e2ce4c1/attachment.sig>
More information about the CentOS
mailing list