Article 15926 at 09/08/25 11:33:41 From: microv (at mark) microvisionfl.com Subject: [coba-e:15926] Re: {Spam?} Re: Major Update Kernel Included

Index: [Article Count Order] [Thread]
Date:  Mon, 24 Aug 2009 22:33:55 -0400
From:  "microv" <microv (at mark) microvisionfl.com>
Subject:  [coba-e:15926] Re: {Spam?}  Re: Major Update Kernel Included - Update
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <018a01ca252c$7e2a71a0$7a7f54e0$@com>
In-Reply-To:  <BAY107-W23704B74244845541039BAD1F80 (at mark) phx.gbl>
References:  <200908222022.n7MKMK6C008481 (at mark) ana.xnet.com.mx> <200908222315.16092.bq (at mark) solarspeed.net> <BAY107-W29A1C5A7B18145D7A68A4AD1FA0 (at mark) phx.gbl> <200908230453.02246.bq (at mark) solarspeed.net> <BAY107-W23704B74244845541039BAD1F80 (at mark) phx.gbl>
X-Mail-Count: 15926

WHY AM I GETTING 2 OF EVERYONE'S MESSAGES FROM THIS LISTSERV? CAN IT BE
FIXED?


-----Original Message-----
From: Tom W [mailto:midintertech (at mark) hotmail.com] 
Sent: Monday, August 24, 2009 10:14 PM
To: coba-e (at mark) bluequartz.org
Subject: {Spam?} [coba-e:15925] Re: Major Update Kernel Included - Update


----------------------------------------
> Date: Sun, 23 Aug 2009 04:53:01 +0200
> From: bq (at mark) solarspeed.net
> Subject: [coba-e:15916] Re: Major Update Kernel Included
> To: coba-e (at mark) bluequartz.org
>
> Hi Tom,
>
>> About the linux kernel vuln, wonder how long its gonna take them
>> to get out an update for it??
>
> I'm puzzled about that as well. My money was on last Monday for an updated
> RHEL5 kernel and 11 days later for a CentOS5 kernel. But it looks RH is
taking
> a different route this time. It appears they'll provide a fix during the
next
> "routine" kernel update and paying clients can request a "hotfixed"
kernel.
>
>> Even though they say its local user, we have been reading reports, far
too
>> many for our comfort level, that say hacktards are using xss and other
>> methods remotely to get hacks for this kernel problem onto systems as a
>> local user and hacking quite a few boxes already!?
>
> Exactly so. It is always bad if lax security or an ill designed
application
> (PHP script, etc.) allows someone local and unprivileged access to the OS.
> That shouldn't happen in an ideal world, but in the hosting business we
see
> this far too often for various reasons. In BlueOnyx we raised the bar for
this
> by adding some extra layers of protection beyond what BlueQuartz offers,
but
> still: It ain't Fort Knox and the admins might even choose to disable the
> extra security. All that it then takes is another hole such as this kernel
> vulnerability and the attacker can escalate his unprivileged local access
to
> gain root access.
>
>> Has anybody tried the "workaround" they have listed on that redhat bug
>> report by disabling some modules or know if that would actually help on
our
>> CentosBQ boxes?
>
> For BlueOnyx and CentOS5 we rolled up a patched kernel. It's just one line
of
> code that's changed and the new kernel appears to be both stable and safe.
For
> CentOS4 it should be equally trivial to roll up a fixed kernel. I'd trust
that
> more than the other suggested work arounds, which I haven't tested.
>
>> I ran lsmod and didn't think I saw any of the modules loaded??
>
> Yeah, but they will be loaded if the kernel needs them. Unless you stop
the
> loading of kernel modules with a third party tool such as LCAP. But the
way
> this exploits works I'm not sure LCAP alone would prevent it. Haven't
tested
> that, though.
>
>> We also read that disabling selinux was a good idea but I don't thing its
on
>> by default in CentosBQ??
>
> SELinux is disabled by default on BlueQuartz and BlueOnyx. On a "normal"
> CentOS it's typically set to enforcing mode, but that didn't stop the
exploit
> either in the default SELinux configuration used on RHEL and CentOS.
>
> All in all I'm not a happy camper with this situation at hands. That
CentOS is
> late with handing down patches and that they never fix something that
RedHat
> doesn't fix upstream ... both of that ain't new. But that RedHat sits this
one
> out has me somewhat puzzled. Like said: The issue is trivial to patch and
that
> extra bit of Q&A should be easy to shake loose for a giant like RedHat.
But
> they leave the field to Debian, Fedora Core and other distributions, who
> already jumped on it and pushed out fixed kernels as fast as one ought to
> expect .
>
> --
> With best regards,
>
> Michael Stauber
>

Hey they must have heard us griping! :P  In case someone missed 
it, CentOS released new kernel's fixing the SOCKOPS_WRAP/sendpage
bug and also another bug I hadn't even read about. We were pleasantly
surprised because we were just about to try and roll our own kernel
with the patch in ourselves which could have had interesting results.
CentOS really got the kernel out fast considering Redhat just posted
it today..

They said it might take little awhile for it to hit all the mirrors...

kernel-2.6.9-89.0.9.EL
http://lists.centos.org/pipermail/centos-announce/2009-August/016108.html



Tom

_________________________________________________________________
Get back to school stuff for them and cashback for you.
http://www.bing.com/cashback?form=MSHYCB&publ=WLHMTAG&crea=TEXT_MSHYCB_BackT
oSchool_Cashback_BTSCashback_1x1


-- 
This message has been scanned for viruses and
dangerous content by Our MailScanner, and is
believed to be clean.