Discover Centmin Mod today
Register Now

Security Kernel Security Update: Local Privilege Escalation CVE-2016-5195

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Oct 21, 2016.

  1. Xon

    Xon Active Member

    173
    61
    28
    Nov 16, 2015
    Ratings:
    +229
    Local Time:
    6:57 PM
    1.15.x
    MariaDB 10.3.x
  2. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    12:57 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Is it normal to take so much time for this patch ? :(
     
  3. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    11:57 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    Just install this one and use it.
    It is free for first 30 days. Install patch and you done.
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    8:57 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    ouch that's scary and sad especially considering how fragmented Android is with various manufacturers and how they neglect or stop supporting older Android devices ! You wonder how many IoT devices powered by Android there are now and in the future susceptible to this i.e. Android based media players etc.
    There's a fine line in terms of timing between jumping in without testing the patch for unintended side effects and testing properly to release heh
    Yeah KernelCare if you server supports it is good i.e. Xen, KVM or non-OpenVZ servers with web hosts using centos distro kernels. Linode doesn't support kernelcare out of box but they have already released 4.8.3 fixed kernel Linode Blog » Linux “Dirty Cow” Vulnerability (CVE-2016-5195)

    see CloudLinux - Main | New template
     
    Last edited: Oct 25, 2016
  5. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    11:57 AM
  6. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    8:57 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yay thanks for heads up CentOS and RHEL 7 first with fixed kernel yum package. Just need for CentOS 6 release too. Updated 1st post of this thread with info too.

    Code (Text):
    yum list updates -q
    Updated Packages
    kernel.x86_64 3.10.0-327.36.3.el7 updates
    kernel-devel.x86_64 3.10.0-327.36.3.el7 updates
    kernel-headers.x86_64 3.10.0-327.36.3.el7 updates
    kernel-tools.x86_64 3.10.0-327.36.3.el7 updates
    kernel-tools-libs.x86_64 3.10.0-327.36.3.el7 updates
    python-perf.x86_64 3.10.0-327.36.3.el7 updates
    
     
    Last edited: Oct 25, 2016
  7. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    11:57 AM
    Centos is still vulnerable, Centos git source is patched but updates aren't released.

    Redhat linux, derivative Oracle linux- upstream and Oracle unbreakable patched and updates are released.
     
    Last edited: Oct 25, 2016
  8. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    12:57 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    So patch is not good or something else?

    Confused :(
     
  9. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    11:57 AM
    Centos updates aren't available yet.
    Only there git source is up-to-date and the code is patched.
     
  10. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    12:57 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Ok let's wait then :)
     
  11. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    8:57 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    ah they aren't yet .3

    was testing on older virtualbox centos 7 and it had update for .2 not .3 heh
     
  12. cloud9

    cloud9 Premium Member Premium Member

    431
    117
    43
    Oct 6, 2015
    England
    Ratings:
    +217
    Local Time:
    10:57 AM
    1.25.3
    10.6.x
    I just installed Kernelcare on two more of my servers - Install and forget
     
  13. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    11:57 AM
    Centos updates are mostly synced and thus available around night UTC + 2.
    Given the fact that most Centos developers are living in Europe
     
    Last edited: Oct 25, 2016
  14. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    8:57 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    looking into integrating kernelcare and kernel checks into Centmin Mod 123.09beta01 ;)
    thanks, good to know such info :)
     
  15. Matt

    Matt Well-Known Member

    932
    415
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +671
    Local Time:
    10:57 AM
    1.5.15
    MariaDB 10.2
    Updated kernels are now available on CentOS7

    Code:
    [root@demo ~]# uname -a
    Linux demo.mattwservices.xyz 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
    [root@demo ~]# 
    
     
  16. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    8:57 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    thanks @Matt for heads up. Not seeing it on my end yet.

    preview of what's to come in 123.09beta01 for a kernelcheck.sh script to be baked into centmin mod :)

    normal output mode
    Code (Text):
    ./kernelcheck.sh
    -------------------------------------------------------------
    system kernel is up to date, nothing to do
    -------------------------------------------------------------
    

    debug output mode
    Code (Text):
    ./kernelcheck.sh
    latest: 3.10.0-327.36.2
    current: 3.10.0-327.36.2
    distro: rpm
    needs_update: False
    latest_installed: True
    latest_available: False
    inside_container: False
    installed: False
    up2date: False
    supported: True
     
    DEBUG Mode Output:
    kc_latest = 3.10.0-327.36.2
    kc_current = 3.10.0-327.36.2
    kc_distro = rpm
    kc_needs_update = False
    kc_latest_installed = True
    kc_latest_available = False
    kc_inside_container = False
    kc_installed = False
    kc_up2date = False
    kc_supported = True
    
    -------------------------------------------------------------
    system kernel is up to date, nothing to do
    -------------------------------------------------------------
    

    yes kernelcare detection and support/reporting :)
     
  17. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    12:57 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    This is what i have on my end :)

    Code:
    kernel.x86_64 0:3.10.0-327.36.3.el7
    Is that one the patched version?
     
  18. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    8:57 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yup see 1st post update
     
  19. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    8:57 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    looks like arrived on my test server too for CentOS 7 testing of kernelcheck.sh :)

    debug mode output
    Code (Text):
    ./kernelcheck.sh
    latest: 3.10.0-327.36.3
    current: 3.10.0-327.36.2
    distro: rpm
    needs_update: True
    latest_installed: False
    latest_available: True
    inside_container: False
    installed: False
    up2date: False
    supported: True
     
    DEBUG Mode Output:
    kc_latest = 3.10.0-327.36.3
    kc_current = 3.10.0-327.36.2
    kc_distro = rpm
    kc_needs_update = True
    kc_latest_installed = False
    kc_latest_available = True
    kc_inside_container = False
    kc_installed = False
    kc_up2date = False
    kc_supported = True
    
    -------------------------------------------------------------
    newer kernel is available, system reboot needed
    please run command below then reboot server:
    
      yum update
    -------------------------------------------------------------
    
     
  20. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    8:57 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+