Hi Michael, Does the system automatically boot into the new kernel? Or does it need to be select upon reboot? My system is too far away and I want to be sure before I do it.
Best Regards, On Sun, Aug 16, 2009 at 12:39 PM, Michael Stauber <[email protected]>wrote: > Hi all, > > A vulnerability (Null pointer dereference) has been found in all Linux > 2.4/2.6 > kernel versions since May 2001. This vulnerability could allow a local > unprivileged user to gain root access. An exploit for it is already in the > wild and usage of the exploit is fairly simple. > > This vulnerability (of course) also affects the latest CentOS5 kernel on > BlueOnyx. > > More info on the vulnerability: > > http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html > http://lists.grok.org.uk/pipermail/full-disclosure/2009-August/070197.html > https://bugzilla.redhat.com/show_bug.cgi?id=516949#c10 > > Linus Torvalds commented on this last Friday and submitted at patch into > the > code repository at kernel.org: > > > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98 > > As of right now there is no official patched kernel available from either > RedHat or CentOS. One for Fedora is out though. The one from RedHat will > probably around sometime early next week and the one from CentOS might take > a > bit longer - as usual (they just sat on a glibc update for nine days). > > As I rolled up a fixed kernel for Aventurin{e} anyway I went one step > further > and build a separate for BlueOnyx, too. > > *PLEASE NOTE:* This updated kernel is not tested that well. It's tested in > so > far that it boots on the test machines I have access to. It's also tested > that > it closes the vulnerability CVE-2009-2692 mentioned here. It still may not > work for you, although nothing speaks against it. > > For this reason this kernel is in the BlueOnyx-Testing repository, which is > disabled by default. > > So you can either choose if you want to risk it with this custom kernel, or > you can choose if you want to wait for the official CentOS kernel. > > As mentioned above: The exploit requires local access (either through a > shell > account, or through a vulnerable (web) application for example. > > > How to enable the testing repository: > -------------------------------------------- > > (The testing repository has been cleaned out, so only the custom kernel is > in > it and no "other surprises".) > > As "root" edit this file on your server: > > /etc/yum.repos.d/BlueOnyx.repo > > Find the following section at the bottom: > > [BlueOnyx-Testing] > name=BlueOnyx 5106R Testing - $basearch > #baseurl= > http://www.blueonyx.it/pub/BlueOnyx/5106R/CentOS5/blueonyx/testing/ > > mirrorlist=http://www.blueonyx.it/mirror.php?release=$releasever&arch=testing > gpgcheck=1 > enabled=0 > gpgkey=http://www.blueonyx.it/pub/BlueOnyx/RPM-GPG-KEY-NUSOL-5106R<http://www.blueonyx.it/pub/BlueOnyx/5106R/CentOS5/blueonyx/testing/%0Amirrorlist=http://www.blueonyx.it/mirror.php?release=$releasever&arch=testing%0Agpgcheck=1%0Aenabled=0%0Agpgkey=http://www.blueonyx.it/pub/BlueOnyx/RPM-GPG-KEY-NUSOL-5106R> > > In it set the switch "enabled=0" to "enabled=1". > > Then run "yum clean all" and "yum update". That should download the updated > kernel. For easy identification it has the extension "bx02" at the end. > > After the yum update edit the yum repository file again to set the testing > repository back to disabled. > > Then reboot your server. Don't skip this step, as you need to boot into the > new kernel to be protected. > > To confirm that your server has booted the correct kernel, run "uname -r". > It > should report something like this: > > 2.6.18-128.4.2.el5.bx02 > ...or... > 2.6.18-128.4.2.el5.bx02-PAE > > The important part in the name is "bx02". If it's not showing that, then > your > box has booted an unpatched (stock) kernel. > > -- > With best regards > > Michael Stauber > > _______________________________________________ > Blueonyx mailing list > [email protected] > http://www.blueonyx.it/mailman/listinfo/blueonyx >
_______________________________________________ Blueonyx mailing list [email protected] http://www.blueonyx.it/mailman/listinfo/blueonyx
