Akemi Yagi wrote: > On Feb 11, 2008 10:52 AM, Scott McClanahan > <scott.mcclanahan at trnswrks.com> wrote: >> >> On Mon, 2008-02-11 at 10:45 -0800, Akemi Yagi wrote: > >>> We have to wait and see, but my impression is that the nfs fix would >>> not be in the updated kernel (I hope I am wrong). They are talking >>> about getting it into 5.2 (even possibly into 5.3). I can see that >>> this is a problem. Now, we can not "stay with 53.1.4" on the systems >>> where the local root exploit is a serious problem. >>> >>> Akemi > >> Yes, until now we had no problem stalling on 53.1.4. I guess we'll have >> to test how badly the nfs performance degradation actually is under a >> heavy load in our environment. > > Good news! CentOS is going to offer the updated kernel (-53.1.13) > with the nfs patch applied -- thanks to Johnny Hughes. Let's wait to > hear from him. > > Akemi There is a kernel that matches upstream and it is released to the centos-5 tree and available via the normal yum updates. It is patched for this root exploit issue, but the NFS is still broken per this bug: https://bugzilla.redhat.com/show_bug.cgi?id=321111 SO ... there are kernels available here (that you will need to manually install) which SHOULD fix this root exploit AND work with NFS: http://people.centos.org/~hughesjr/kernel/5/ This is a testing kernel ... it seems to work for me and has passed testing on several other CentOS servers ... and it has a backported patch from the 2.6.18-80.el5 testing upstream RHEL server. Each person who wants to use this needs to test it first for themselves ... if it breaks your machine you get to keep all pieces :D I will also be rolling this same NFS patch into the centosplus kernel for centos-5 which is currently building. Thanks, Johnny Hughes -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20080213/9e2ce4c1/attachment-0004.sig>