CentOS - Oct 2016 - CVE-2016-5195 “DirtyCOW”: Critical Linux Kernel Flaw

Dear All,

I guess, we all have to urgently apply workaround, following, say, this:

https://gryzli.info/2016/10/21/protect-cve-2016-5195-dirtycow-centos-7rhel7cpanelcloudlinux/

At least those of us who still have important multi user machines running
Linux. (Yes, me too, I do have a couple, thank goodness, the rest are
already not ;-)

Have a productive weekend, everybody.

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

On Sat, October 22, 2016 7:49 pm, Valeri Galtsev wrote:
> Dear All,
>
> I guess, we all have to urgently apply workaround, following, say, this:
>
>
https://gryzli.info/2016/10/21/protect-cve-2016-5195-dirtycow-centos-7rhel7cpanelcloudlinux/
>
> At least those of us who still have important multi user machines running
> Linux.
I should have said CentOS 7. Older ones (CentOS 6 and 5) are not vulnerable.
> (Yes, me too, I do have a couple, thank goodness, the rest are
> already not ;-)
Luckily, no multi-user CentOS 7 machines here, only single user workstations.

Good luck, everybody!

Valeri

PS Sorry about a bit premature first message: I realize not that I was in
the same state of mind as back then when there was remote root SSH
vulnerability. It was long ago, but some may still remember that...
>
> Have a productive weekend, everybody.
>
> Valeri
>
> ++++++++++++++++++++++++++++++++++++++++
> Valeri Galtsev
> Sr System Administrator
> Department of Astronomy and Astrophysics
> Kavli Institute for Cosmological Physics
> University of Chicago
> Phone: 773-702-4247
> ++++++++++++++++++++++++++++++++++++++++
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

On Sat Oct 22 08:20:24 PM, Valeri Galtsev wrote:
> I should have said CentOS 7. Older ones (CentOS 6 and 5) are not
vulnerable.
https://bugzilla.redhat.com/show_bug.cgi?id=1384344

Comment #35 points to a link that doesn't depend on /proc/self/mem and
claims to work on CentOS 6 and 5.  I'm not quite sure what I should
be looking for when I run the program, though.

I do hope Redhat releases patches soon.

Cheers,
Zube

On 10/22/2016 07:49 PM, Valeri Galtsev wrote:
> Dear All,
> 
> I guess, we all have to urgently apply workaround, following, say, this:
> 
>
https://gryzli.info/2016/10/21/protect-cve-2016-5195-dirtycow-centos-7rhel7cpanelcloudlinux/
> 
> At least those of us who still have important multi user machines running
> Linux. (Yes, me too, I do have a couple, thank goodness, the rest are
> already not ;-)
> 
> Have a productive weekend, everybody.
> 
> Valeri
We are waiting for the official RHEL source code for this issue for the
base kernel, and I do not recommend everybody out there use our
experimental 4.4.x kernel for x86_64, BUT with that said I did release a
kernel on Friday that has the fix for CVE-2016-5195.

It is kernel-4.4.26-201.el7.centos.x86_64.rpm, and it lives here:

http://mirror.centos.org/altarch/7/experimental/x86_64/

I don't recommend using this in production without lots of testing
first, and it requires a new linux-firmware, xfsprogs, supermin5.  It
also does not support secure boot.

I am using it on several (currently 6) machines and we created it for
newer IoT type boards and compute sticks, etc.  I have it running on 3
laptops and 3 KVM servers without any issues .. but that is a very small
subset of tested configurations.

Thanks,
Johnny Hughes




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20161023/f7068b78/attachment-0001.sig>

On Sat, 22 Oct 2016, Valeri Galtsev wrote:
> On Sat, October 22, 2016 7:49 pm, Valeri Galtsev wrote:
>> Dear All,
>>
>> I guess, we all have to urgently apply workaround, following, say,
this:
>>
>>
https://gryzli.info/2016/10/21/protect-cve-2016-5195-dirtycow-centos-7rhel7cpanelcloudlinux/
>>
>> At least those of us who still have important multi user machines
running
>> Linux.
>
> I should have said CentOS 7. Older ones (CentOS 6 and 5) are not
vulnerable.
Patch is out on RHEL side:

https://rhn.redhat.com/errata/RHSA-2016-2098.html

*******************************************************************************
Gilbert Sebenste                                                    ********
(My opinions only!)                                                  ******
*******************************************************************************

On 10/22/2016 07:49 PM, Valeri Galtsev wrote:
> Dear All,
> 
> I guess, we all have to urgently apply workaround, following, say, this:
> 
>
https://gryzli.info/2016/10/21/protect-cve-2016-5195-dirtycow-centos-7rhel7cpanelcloudlinux/
> 
> At least those of us who still have important multi user machines running
> Linux. (Yes, me too, I do have a couple, thank goodness, the rest are
> already not ;-)
> 
> Have a productive weekend, everybody.
> 
> Valeri
> 
And to close the book on this CVE, I just pushed the CentOS-5.11 kernel
to fix this issue as well:

kernel-2.6.18-416.el5

So, the only thing we still have to release is a fixed kernel for the
aarch64 AltArch SIG.  And we are building a test kernel for that right now.

ppc64le, ppc64, i686, arm32 for CentOS-7 .. and all released arches for
CentOS-5 and CentOS-6 ... now all have updates released.

Thanks,
Johnny Hughes


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20161028/e8d7b180/attachment-0001.sig>

On Fri, October 28, 2016 9:43 am, Johnny Hughes wrote:
> On 10/22/2016 07:49 PM, Valeri Galtsev wrote:
>> Dear All,
>>
>> I guess, we all have to urgently apply workaround, following, say,
this:
>>
>>
https://gryzli.info/2016/10/21/protect-cve-2016-5195-dirtycow-centos-7rhel7cpanelcloudlinux/
>>
>> At least those of us who still have important multi user machines
>> running
>> Linux. (Yes, me too, I do have a couple, thank goodness, the rest are
>> already not ;-)
>>
>> Have a productive weekend, everybody.
>>
>> Valeri
>>
>
> And to close the book on this CVE, I just pushed the CentOS-5.11 kernel
> to fix this issue as well:
>
> kernel-2.6.18-416.el5
Johnny, thanks a lot!!

(even though on my most ancient venerable couple of boxes still running
CentOS 5 users can not execute anything of their own, so the boxes are
immune to hack from inside, is still gives one great feeling to have
kernel patched).

Thanks again for the great job you, guys are doing!

Valeri
>
> So, the only thing we still have to release is a fixed kernel for the
> aarch64 AltArch SIG.  And we are building a test kernel for that right
> now.
>
> ppc64le, ppc64, i686, arm32 for CentOS-7 .. and all released arches for
> CentOS-5 and CentOS-6 ... now all have updates released.
>
> Thanks,
> Johnny Hughes
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++