[CentOS] A Blast from the past

Tue Aug 17 16:14:36 UTC 2021
Jonathan Billings <billings at negate.org>

On Tue, Aug 17, 2021 at 05:02:02PM +0100, Mark Woolfson wrote:
> Unfortunately the manufacturer of our application software will only support
> it on RHEL/CentOS 7.0. I have asked and that is all they say.

This is absurd.  The 7.0 kernel has so many vulnerabilities that are
well known and well documented, they're forcing you to run a kernel
that can be trivially exploited.  I would seriously push back with the
manufacturer.  Does it have a custom kernel module that it requires?
Or did they only test it on RHEL or CentOS 7.0 and never updated their

In the past, I've asked vendors that tried this kind of nonsense if
they're willing to indemnify their customers for any security issues
that arise as a result of using their product. Feel free to list all
the CVEs in the current CentOS 7 kernel.  I see there are 1,125 CVEs
mentioned in the kernel changelog. It won't hold any legal water, most
likely, but it might get someone to at least look closer at the issue. 

Jonathan Billings <billings at negate.org>