A bug lurking for 12 years gives attackers root on every major Linux distro
My ubuntu servers has this update: libpolkit-agent-1-0 libpolkit-backend-1-0 libpolkit-gobject-1-0 policykit-1 But nothing on CentOS servers :|
@rdan Red Hat Enterprise Linux (EL) updated packages are released (below), same goes for EL clones like Oracle Linux. So this is a CentOS thingy: CentOS 8 is end of life, for that reason no updates anymore for CentOS 8. About CentOS 7: CentOS priority is currently given to CentOS Stream all-inclusive. Expect a delayed release of a few days for non Stream updates like EL version 7. Since Johnny Hughes from Red Hat/CentOS has repeatedly stated that only a few people "work" on their release team. Nevertheless. Kinda clickbait from Arstechnica: 'gives attackers root on every major Linux distro'. The severity is important and not critical at all on CVE-2021-4034
its not quite clickbaity as this can affect shared hosting companies or servrs that let users have shell access. This is a serious concern that affect these people to.
I don't agree with that: 'gives attackers root on every major Linux distro' is completely off the mark, and thus does attract potential visitors to the article who wouldn't otherwise come by. After all, you have to have shell access as a starting point. 'Gives attackers root on every major Linux distro' means a critical CVE where you gain root access, without access (no shell or whatsoever), only with an exploit. Or specifically at a shared server you cite. Typically, a shared server hosts websites like grandma's photo album or your niece's travel site. Your grandmother or niece can hardly go through these CVE-2021-4034 exploit steps. Mostly: Your grandmother and niece don't even know what a shell is, don't want to know what a shell is, or uberhastily don't know how to start a shell. Even if they already had a shell. Apart from the fact that no major shared host providers deliver shell access. I agree with the Mitre Corporation. That classifies CVEs by importance. This CVE-2021-4034 is classified as important but nothing more.
Most of my servers when I logged in for CentOS 7 already had that polkit update installed due to YUM auto updates