[CentOS] Re: local root exploit

Wed Feb 13 16:28:12 UTC 2008
Scott Silva <ssilva at sgvwater.com>

on 2/13/2008 6:52 AM Johnny Hughes spake the following:
> Akemi Yagi wrote:
>> On Feb 11, 2008 10:52 AM, Scott McClanahan
>> <scott.mcclanahan at trnswrks.com> wrote:
>>>
>>> On Mon, 2008-02-11 at 10:45 -0800, Akemi Yagi wrote:
>>
>>>> We have to wait and see, but my impression is that the nfs fix would
>>>> not be in the updated kernel (I hope I am wrong).  They are talking
>>>> about getting it into 5.2 (even possibly into 5.3).  I can see that
>>>> this is a problem.  Now, we can not "stay with 53.1.4"  on the systems
>>>> where the local root exploit is a serious problem.
>>>>
>>>> Akemi
>>
>>> Yes, until now we had no problem stalling on 53.1.4.  I guess we'll have
>>> to test how badly the nfs performance degradation actually is under a
>>> heavy load in our environment.
>>
>> Good news!  CentOS is going to offer the updated kernel (-53.1.13)
>> with the nfs patch applied -- thanks to Johnny Hughes.  Let's wait to
>> hear from him.
>>
>> Akemi
> 
> There is a kernel that matches upstream and it is released to the 
> centos-5 tree and available via the normal yum updates.
> 
> It is patched for this root exploit issue, but the NFS is still broken 
> per this bug:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=321111
> 
> SO ... there are kernels available here (that you will need to manually 
> install) which SHOULD fix this root exploit AND work with NFS:
> 
> http://people.centos.org/~hughesjr/kernel/5/
> 
> This is a testing kernel ... it seems to work for me and has passed 
> testing on several other CentOS servers ... and it has a backported 
> patch from the 2.6.18-80.el5 testing upstream RHEL server.
> 
> Each person who wants to use this needs to test it first for themselves 
> ... if it breaks your machine you get to keep all pieces :D
> 
I soo love that last line! I could just imagine someone like Jack Nicholson 
saying it in a movie.

-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20080213/95427b15/attachment-0005.sig>