Learn about Centmin Mod LEMP Stack today
Become a Member

Security CentOSPlus kernel that mitigates CVE-2014-4699 now available

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jul 21, 2014.

  1. eva2000

    eva2000 Administrator Staff Member

    30,170
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    2:48 PM
    Nginx 1.13.x
    MariaDB 5.5
    CVE-2014-4699:
    The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls.

    This issue affects CentOS-6 and -7 kernels. An updtream fix has now been applied to the CenOSPlus kernels.

    CentOS-6:
    kernel-2.6.32-431.20.3.0.1.el6.centos.plus.x86_64.rpm
    kernel-2.6.32-431.20.3.0.1.el6.centos.plus.i686.rpm

    CentOS-7:
    kernel-plus-3.10.0-123.4.2.el7.centos.plus.0.1.x86_64.rpm

    Continue reading...
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,170
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    2:48 PM
    Nginx 1.13.x
    MariaDB 5.5
    CentOS Plus info http://wiki.centos.org/AdditionalResources/Repositories/CentOSPlus

    Code:
    yum --disablerepo=* list available --enablerepo=centosplus 
    Loaded plugins: fastestmirror, priorities
    Loading mirror speeds from cached hostfile
    * centosplus: mirror.hmc.edu
    Available Packages
    kernel-plus.x86_64                                                        3.10.0-123.4.2.el7.centos.plus.0.1                                        centosplus
    kernel-plus-abi-whitelists.noarch                                         3.10.0-123.4.2.el7.centos.plus.0.1                                        centosplus
    kernel-plus-devel.x86_64                                                  3.10.0-123.4.2.el7.centos.plus.0.1                                        centosplus
    kernel-plus-doc.noarch                                                    3.10.0-123.4.2.el7.centos.plus.0.1                                        centosplus
    kernel-plus-headers.x86_64                                                3.10.0-123.4.2.el7.centos.plus.0.1                                        centosplus
    kernel-plus-tools.x86_64                                                  3.10.0-123.4.2.el7.centos.plus.0.1                                        centosplus
    kernel-plus-tools-libs.x86_64                                             3.10.0-123.4.2.el7.centos.plus.0.1                                        centosplus
    kernel-plus-tools-libs-devel.x86_64                                       3.10.0-123.4.2.el7.centos.plus.0.1                                        centosplus
    perf.x86_64                                                               3.10.0-123.4.2.el7.centos.plus.0.1                                        centosplus
    python-perf.x86_64                                                        3.10.0-123.4.2.el7.centos.plus.0.1                                        centosplu
    Code:
     yum list kernel* --enablerepo=centosplus              
    Loaded plugins: fastestmirror, priorities
    Loading mirror speeds from cached hostfile
    * base: mirrors.syringanetworks.net
    * centosplus: mirror.hmc.edu
    * epel: mirrors.cat.pdx.edu
    * extras: mirrors.cat.pdx.edu
    * rpmforge: repoforge.eecs.wsu.edu
    * updates: mirrors.kernel.org
    96 packages excluded due to repository priority protections
    Installed Packages
    kernel.x86_64                                                             3.10.0-123.el7                                                           @anaconda/7
    kernel.x86_64                                                             3.10.0-123.4.2.el7                                                       @updates/7
    kernel-devel.x86_64                                                       3.10.0-123.el7                                                           @anaconda/7
    kernel-devel.x86_64                                                       3.10.0-123.4.2.el7                                                       @updates/7
    kernel-headers.x86_64                                                     3.10.0-123.4.2.el7                                                       @updates/7
    kernel-tools.x86_64                                                       3.10.0-123.4.2.el7                                                       @updates/7
    kernel-tools-libs.x86_64                                                  3.10.0-123.4.2.el7                                                       @updates/7
    Available Packages
    kernel-abi-whitelists.noarch                                              3.10.0-123.4.2.el7                                                       updates
    kernel-debug.x86_64                                                       3.10.0-123.4.2.el7                                                       updates
    kernel-debug-devel.x86_64                                                 3.10.0-123.4.2.el7                                                       updates
    kernel-doc.noarch                                                         3.10.0-123.4.2.el7                                                       updates
    kernel-plus.x86_64                                                        3.10.0-123.4.2.el7.centos.plus.0.1                                       centosplus
    kernel-plus-abi-whitelists.noarch                                         3.10.0-123.4.2.el7.centos.plus.0.1                                       centosplus
    kernel-plus-devel.x86_64                                                  3.10.0-123.4.2.el7.centos.plus.0.1                                       centosplus
    kernel-plus-doc.noarch                                                    3.10.0-123.4.2.el7.centos.plus.0.1                                       centosplus
    kernel-plus-headers.x86_64                                                3.10.0-123.4.2.el7.centos.plus.0.1                                       centosplus
    kernel-plus-tools.x86_64                                                  3.10.0-123.4.2.el7.centos.plus.0.1                                       centosplus
    kernel-plus-tools-libs.x86_64                                             3.10.0-123.4.2.el7.centos.plus.0.1                                       centosplus
    kernel-plus-tools-libs-devel.x86_64                                       3.10.0-123.4.2.el7.centos.plus.0.1                                       centosplus
    kernel-tools-libs-devel.x86_64                                            3.10.0-123.4.2.el7                                                       updates  
    Code:
    yum install kernel-plus kernel-plus-devel --enablerepo=centosplus                
    Loaded plugins: fastestmirror, priorities
    Loading mirror speeds from cached hostfile
    * base: mirrors.syringanetworks.net
    * centosplus: mirror.hmc.edu
    * epel: mirrors.cat.pdx.edu
    * extras: mirrors.cat.pdx.edu
    * rpmforge: repoforge.eecs.wsu.edu
    * updates: mirrors.kernel.org
    96 packages excluded due to repository priority protections
    Resolving Dependencies
    --> Running transaction check
    ---> Package kernel-plus.x86_64 0:3.10.0-123.4.2.el7.centos.plus.0.1 will be installed
    ---> Package kernel-plus-devel.x86_64 0:3.10.0-123.4.2.el7.centos.plus.0.1 will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ==============================================================================================================================================================
    Package                               Arch                       Version                                                Repository                      Size
    ==============================================================================================================================================================
    Installing:
    kernel-plus                           x86_64                     3.10.0-123.4.2.el7.centos.plus.0.1                     centosplus                      29 M
    kernel-plus-devel                     x86_64                     3.10.0-123.4.2.el7.centos.plus.0.1                     centosplus                     9.0 M
    
    Transaction Summary
    ==============================================================================================================================================================
    Install  2 Packages
    
    Total download size: 38 M
    Installed size: 160 M
    Is this ok [y/d/N]: y
    Downloading packages:
    (1/2): kernel-plus-devel-3.10.0-123.4.2.el7.centos.plus.0.1.x86_64.rpm                                                                 | 9.0 MB  00:00:01  
    (2/2): kernel-plus-3.10.0-123.4.2.el7.centos.plus.0.1.x86_64.rpm                                                                       |  29 MB  00:00:06  
    --------------------------------------------------------------------------------------------------------------------------------------------------------------
    Total                                                                                                                         6.1 MB/s |  38 MB  00:00:06  
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
      Installing : kernel-plus-3.10.0-123.4.2.el7.centos.plus.0.1.x86_64                                                                                      1/2
      Installing : kernel-plus-devel-3.10.0-123.4.2.el7.centos.plus.0.1.x86_64                                                                                2/2
      Verifying  : kernel-plus-devel-3.10.0-123.4.2.el7.centos.plus.0.1.x86_64                                                                                1/2
      Verifying  : kernel-plus-3.10.0-123.4.2.el7.centos.plus.0.1.x86_64                                                                                      2/2
    
    Installed:
      kernel-plus.x86_64 0:3.10.0-123.4.2.el7.centos.plus.0.1                    kernel-plus-devel.x86_64 0:3.10.0-123.4.2.el7.centos.plus.0.1                
    
    Complete!
    checking existing default loaded kernel
    Code:
    grub2-editenv list
    saved_entry=CentOS Linux (3.10.0-123.4.2.el7.x86_64) 7 (Core)
    
    set new default
    Code:
    grub2-set-default "CentOS Linux (3.10.0-123.4.2.el7.centos.plus.0.1.x86_64) 7 (Core)" 
    
    Code:
    grub2-editenv list
    saved_entry=CentOS Linux (3.10.0-123.4.2.el7.centos.plus.0.1.x86_64) 7 (Core)
    
    wasn't sure this was needed to rebuild
    Code:
    grub2-mkconfig -o /boot/grub2/grub.cfg
    Generating grub configuration file ...
    Found linux image: /boot/vmlinuz-3.10.0-123.el7.x86_64
    Found initrd image: /boot/initramfs-3.10.0-123.el7.x86_64.img
    Found linux image: /boot/vmlinuz-3.10.0-123.4.2.el7.x86_64
    Found initrd image: /boot/initramfs-3.10.0-123.4.2.el7.x86_64.img
    Found linux image: /boot/vmlinuz-3.10.0-123.4.2.el7.centos.plus.0.1.x86_64
    Found initrd image: /boot/initramfs-3.10.0-123.4.2.el7.centos.plus.0.1.x86_64.img
    Found linux image: /boot/vmlinuz-0-rescue-079bcb6888324f6e900c39a1930116f4
    Found initrd image: /boot/initramfs-0-rescue-079bcb6888324f6e900c39a1930116f4.img
    done
    
    seems above step wasn't needed as reboot didn't set the kernel as rebuild changed the name of the new kernel's name so try setting it again

    Code:
    grub2-set-default "CentOS Linux, with Linux 3.10.0-123.4.2.el7.centos.plus.0.1.x86_64"
    
    Code:
    grub2-editenv list     
    saved_entry=CentOS Linux, with Linux 3.10.0-123.4.2.el7.centos.plus.0.1.x86_64
    
    this time worked
    Code:
    uname -r
    3.10.0-123.4.2.el7.centos.plus.0.1.x86_64
    
    Code:
    rpm -qa --changelog kernel-plus
    * Tue Jul 15 2014 Akemi Yagi <toracat@centos.org> [3.10.0-123.4.2.el7.centos.plus.0.1]
    - Roll in centos-linux-3.10-CVE-2014-4699.patch (see centos bug 7379)
    
    * Mon Jul 07 2014 Akemi Yagi <toracat@centos.org> [3.10.0-123.4.2.el7.centos.plus]
    - Patch in CentOS SecureBoot certs
    - Add in debranding changes
    - Add in CentOS kdump and driver update certs
    - Modifications to remove Red Hat from spec file
    - Modify config file for x86_64 with extra features turned on including
      some network adapters, BusLogic, IPX, Appletalk, ReiserFS, TOMOYO, AppArmor
    - Add in a patch that allows non-LogiTech remote to work [bug#5780]
    - Add in a patch that fixes compat msgrcv with negative msgtyp [bug#7099]
    - Add in a patch that fixes "Argument list too long" error
    
    * Thu Jun 05 2014 Phillip Lougher <plougher@redhat.com> [3.10.0-123.4.2.el7]
    - [fs] aio: fix plug memory disclosure and fix reqs_active accounting backport (Jeff Moyer) [1094604 1094605] {CVE-2014-0206}
    - [fs] aio: plug memory disclosure and fix reqs_active accounting (Mateusz Guzik) [1094604 1094605] {CVE-2014-0206}
    
    * Thu Jun 05 2014 Phillip Lougher <plougher@redhat.com> [3.10.0-123.4.1.el7]
    - [kernel] futex: Make lookup_pi_state more robust (Larry Woodman) [1104519 1104520] {CVE-2014-3153}
    - [kernel] futex: Always cleanup owner tid in unlock_pi (Larry Woodman) [1104519 1104520] {CVE-2014-3153}
    - [kernel] futex: Validate atomic acquisition in futex_lock_pi_atomic() (Larry Woodman) [1104519 1104520] {CVE-2014-3153}
    - [kernel] futex: prevent requeue pi on same futex (Larry Woodman) [1104519 1104520] {CVE-2014-3153}
    - [ethernet] qlcnic: Fix ethtool statistics length calculation (Michal Schmidt) [1104972 1099634]
    - Revert: [kernel] cputime: Default implementation of nsecs -> cputime conversion (Frederic Weisbecker) [1090974 1047732]
    - Revert: [kernel] cputime: Bring cputime -> nsecs conversion (Frederic Weisbecker) [1090974 1047732]
    - Revert: [kernel] cputime: Fix jiffies based cputime assumption on steal accounting (Frederic Weisbecker) [1090974 1047732]
    
    * Tue Jun 03 2014 Phillip Lougher <plougher@redhat.com> [3.10.0-123.3.1.el7]
    - [kernel] mutexes: Give more informative mutex warning in the !lock->owner case (Larry Woodman) [1103629 1087655] [1103630 1087919] [1103631 1087922]
    - [kernel] mutex: replace CONFIG_HAVE_ARCH_MUTEX_CPU_RELAX with simple ifdef (Larry Woodman) [1103629 1087655] [1103630 1087919] [1103631 1087922]
    - [kernel] locking/mutexes: Introduce cancelable MCS lock for adaptive spinning (Larry Woodman) [1103629 1087655] [1103630 1087919] [1103631 1087922]
    - [kernel] locking/mutexes: Modify the way optimistic spinners are queued (Larry Woodman) [1103629 1087655] [1103630 1087919] [1103631 1087922]
    - [kernel] locking/mutexes: Return false if task need_resched() in mutex_can_spin_on_owner() (Larry Woodman) [1103629 1087655] [1103630 1087919] [1103631 1087922]
    - [kernel] Restructure the MCS lock defines and locking & Move mcs_spinlock.h into kernel/locking/ (Larry Woodman) [1103629 1087655] [1103630 1087919] [1103631 1087922]
    - [misc] arch: Introduce smp_load_acquire(), smp_store_release() (Larry Woodman) [1103629 1087655] [1103630 1087919] [1103631 1087922]
    - [kernel] locking/mutex: Fix debug_mutexes (Larry Woodman) [1103629 1087655] [1103630 1087919] [1103631 1087922]
    - [kernel] locking/mutex: Fix debug checks (Larry Woodman) [1103629 1087655] [1103630 1087919] [1103631 1087922]
    - [kernel] locking/mutexes: Unlock the mutex without the wait_lock (Larry Woodman) [1103629 1087655] [1103630 1087919] [1103631 1087922]
    
    * Mon Jun 02 2014 Phillip Lougher <plougher@redhat.com> [3.10.0-123.2.1.el7]
    - [net] filter: prevent nla extensions to peek beyond the end of the message (Jiri Benc) [1096780 1096781] {CVE-2014-3144 CVE-2014-3145}
    - [block] floppy: don't write kernel-only members to FDRAWCMD ioctl output (Denys Vlasenko) [1094316 1094318] {CVE-2014-1737 CVE-2014-1738}
    - [block] floppy: ignore kernel-only members in FDRAWCMD ioctl input (Denys Vlasenko) [1094316 1094318] {CVE-2014-1737 CVE-2014-1738}
    - [net] core, nfqueue, openvswitch: Orphan frags in skb_zerocopy and handle errors (Jiri Pirko) [1091345 1079014] {CVE-2014-2568}
    - [net] ipv4: current group_info should be put after using (Jiri Benc) [1087415 1087416] {CVE-2014-2851}
    - [fs] dcache: make prepend_name() work correctly when called with negative *buflen (Mikulas Patocka) [1099048 1092746]
    - [fs] dcache: __dentry_path() fixes (Mikulas Patocka) [1099048 1092746]
    - [fs] dcache: prepend_path() needs to reinitialize dentry/vfsmount/mnt on restarts (Mikulas Patocka) [1099048 1092746]
    - [target] tcm_fc: Fix use-after-free of ft_tpg (Andy Grover) [1088110 1071340]
    - [s390] af_iucv: wrong mapping of sent and confirmed skbs (Hendrik Brueckner) [1103064 1098513]
    - [s390] kernel: avoid page table walk on user space access (Hendrik Brueckner) [1103062 1097687]
    - [s390] crypto: fix aes, des ctr mode concurrency finding (Hendrik Brueckner) [1103060 1097686]
    - [net] openvswitch: fix a possible deadlock and lockdep warning (Flavio Leitner) [1103318 1094867]
    - [mm] filemap: update find_get_pages_tag() to deal with shadow entries (Johannes Weiner) [1103065 1091795]
    - [mm] page-writeback: fix divide by zero in pos_ratio_polynom (Rik van Riel) [1103067 1091784]
    - [mm] page-writeback: add strictlimit feature (Rik van Riel) [1103067 1091784]
    - [fs] xfs: log vector rounding leaks log space (Brian Foster) [1103059 1091136]
    - [fs] xfs: truncate_setsize should be outside transactions (Brian Foster) [1103059 1091136]
    - [fs] gfs2: Fix uninitialized VFS inode in gfs2_create_inode (Abhijith Das) [1097407 1087995]
    - [kernel] futex: Fix pthread_cond_broadcast() to wake up all threads (Larry Woodman) [1103066 1084757]
    - [net] ip: generate unique IP identificator if local fragmentation is allowed (Jiri Pirko) [1090490 1076106]
    - [kernel] cputime: Fix jiffies based cputime assumption on steal accounting (Frederic Weisbecker) [1090974 1047732]
    - [kernel] cputime: Bring cputime -> nsecs conversion (Frederic Weisbecker) [1090974 1047732]
    - [kernel] cputime: Default implementation of nsecs -> cputime conversion (Frederic Weisbecker) [1090974 1047732]
    - [x86] irq, pic: Probe for legacy PIC and set legacy_pic appropriately (Vivek Goyal) [1094973 1037957]
    - [virt] hyperv/vmbus: Negotiate version 3.0 when running on ws2012r2 hosts (Vivek Goyal) [1094973 1037957]
     
  3. RoldanLT

    RoldanLT Well-Known Member

    3,901
    949
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,298
    Local Time:
    12:48 PM
    1.11
    10.2
    Is this same update that I have?
    Code:
    # yum update
    Loaded plugins: downloadonly, fastestmirror, priorities
    Loading mirror speeds from cached hostfile
    epel/metalink                                                                               | 5.4 kB     00:00
    * base: centos.cubiculestudio.com
    * epel: mirrors.mit.edu
    * extras: centos.bhs.mirrors.ovh.net
    * rpmforge: repoforge.mirror.constant.com
    * updates: centos.bhs.mirrors.ovh.net
    base                                                                                        | 3.7 kB     00:00
    epel                                                                                        | 4.4 kB     00:00
    extras                                                                                      | 3.4 kB     00:00
    mariadb                                                                                     | 1.9 kB     00:00
    rpmforge                                                                                    | 1.9 kB     00:00
    updates                                                                                     | 3.4 kB     00:00
    updates/primary_db                                                                          | 4.2 MB     00:00
    1564 packages excluded due to repository priority protections
    Setting up Update Process
    Resolving Dependencies
    --> Running transaction check
    ---> Package grub.x86_64 1:0.97-83.el6 will be updated
    ---> Package grub.x86_64 1:0.97-84.el6_5 will be an update
    ---> Package kernel.x86_64 0:2.6.32-431.20.5.el6 will be installed
    ---> Package kernel-devel.x86_64 0:2.6.32-431.20.5.el6 will be installed
    ---> Package kernel-firmware.noarch 0:2.6.32-431.20.3.el6 will be updated
    ---> Package kernel-firmware.noarch 0:2.6.32-431.20.5.el6 will be an update
    ---> Package kernel-headers.x86_64 0:2.6.32-431.20.3.el6 will be updated
    ---> Package kernel-headers.x86_64 0:2.6.32-431.20.5.el6 will be an update
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ===================================================================================================================
    Package                       Arch                 Version                            Repository             Size
    ===================================================================================================================
    Installing:
    kernel                        x86_64               2.6.32-431.20.5.el6                updates                28 M
    kernel-devel                  x86_64               2.6.32-431.20.5.el6                updates               8.8 M
    Updating:
    grub                          x86_64               1:0.97-84.el6_5                    updates               933 k
    kernel-firmware               noarch               2.6.32-431.20.5.el6                updates                13 M
    kernel-headers                x86_64               2.6.32-431.20.5.el6                updates               2.9 M
    
    Transaction Summary
    ===================================================================================================================
    Install       2 Package(s)
    Upgrade       3 Package(s)
    
    Total download size: 53 M
    Is this ok [y/N]: y
    Downloading Packages:
    (1/5): grub-0.97-84.el6_5.x86_64.rpm                                                        | 933 kB     00:00
    (2/5): kernel-2.6.32-431.20.5.el6.x86_64.rpm                                                |  28 MB     00:00
    (3/5): kernel-devel-2.6.32-431.20.5.el6.x86_64.rpm                                          | 8.8 MB     00:00
    (4/5): kernel-firmware-2.6.32-431.20.5.el6.noarch.rpm                                       |  13 MB     00:00
    (5/5): kernel-headers-2.6.32-431.20.5.el6.x86_64.rpm                                        | 2.9 MB     00:00
    -------------------------------------------------------------------------------------------------------------------
    Total                                                                               69 MB/s |  53 MB     00:00
    Running rpm_check_debug
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
      Updating   : kernel-firmware-2.6.32-431.20.5.el6.noarch                                                      1/8
      Installing : kernel-2.6.32-431.20.5.el6.x86_64                                                               2/8
      Updating   : kernel-headers-2.6.32-431.20.5.el6.x86_64                                                       3/8
      Updating   : 1:grub-0.97-84.el6_5.x86_64                                                                     4/8
      Installing : kernel-devel-2.6.32-431.20.5.el6.x86_64                                                         5/8
      Cleanup    : kernel-headers-2.6.32-431.20.3.el6.x86_64                                                       6/8
      Cleanup    : 1:grub-0.97-83.el6.x86_64                                                                       7/8
      Cleanup    : kernel-firmware-2.6.32-431.20.3.el6.noarch                                                      8/8
      Verifying  : kernel-devel-2.6.32-431.20.5.el6.x86_64                                                         1/8
      Verifying  : kernel-firmware-2.6.32-431.20.5.el6.noarch                                                      2/8
      Verifying  : 1:grub-0.97-84.el6_5.x86_64                                                                     3/8
      Verifying  : kernel-headers-2.6.32-431.20.5.el6.x86_64                                                       4/8
      Verifying  : kernel-2.6.32-431.20.5.el6.x86_64                                                               5/8
      Verifying  : kernel-headers-2.6.32-431.20.3.el6.x86_64                                                       6/8
      Verifying  : 1:grub-0.97-83.el6.x86_64                                                                       7/8
      Verifying  : kernel-firmware-2.6.32-431.20.3.el6.noarch                                                      8/8
    
    Installed:
      kernel.x86_64 0:2.6.32-431.20.5.el6                   kernel-devel.x86_64 0:2.6.32-431.20.5.el6
    
    Updated:
      grub.x86_64 1:0.97-84.el6_5                             kernel-firmware.noarch 0:2.6.32-431.20.5.el6
      kernel-headers.x86_64 0:2.6.32-431.20.5.el6
    
    Complete!
    
    Code:
    # uname -a
    Linux server 2.6.32-431.20.3.el6.x86_64 #1 SMP Thu Jun 19 21:14:45 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
    
    Does a server restart needed?

    Thanks!
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,170
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    2:48 PM
    Nginx 1.13.x
    MariaDB 5.5
    I believe it's different as CentOS Plus repo is bleeding edge updates only
     
    • Like Like x 1
  5. RoldanLT

    RoldanLT Well-Known Member

    3,901
    949
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,298
    Local Time:
    12:48 PM
    1.11
    10.2
    Do I need it also?
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,170
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    2:48 PM
    Nginx 1.13.x
    MariaDB 5.5
    yes always need to reboot server for kernel updates

    and for 2.6.32-431.20.5 seems you have the update to patch the exploit mentioned in this thread https://rhn.redhat.com/errata/RHSA-2014-0924.html

    although for single user servers, not much concern for local user escalation of privileges hehe

     
    • Like Like x 1
  7. Floren

    Floren Active Member

    148
    76
    28
    Jun 6, 2014
    Ratings:
    +76
    Local Time:
    12:48 AM
    I personally reboot after each update. There are other dependencies that require a reboot, not just the kernel and are quite few. I discovered them a long time ago by accident, through the CentOS GUI. Now I simply reboot the server on my monthly update check. :)