Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


OpenVZ Security Update (Kernel RHEL6 042stab108.5)
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

OpenVZ Security Update (Kernel RHEL6 042stab108.5)

BruceBruce Member

An update for OpenVZ (RHEL6) was just released to address various security vulnerabilities and it is recommended that you update as soon as possible.

https://openvz.org/Download/kernel/rhel6/042stab108.5

Comments

  • already patched testing nodes

  • TinyTunnel_Tom said: already patched testing nodes

    Thanks for the info, BRB escalating to host node fs.

  • KuJoeKuJoe Member, Host Rep

    <3 KernelCare :)

  • BruceBruce Member

    @KuJoe said:
    <3 KernelCare :)

    is that really worth the money?

  • ndelaespadandelaespada Member, Host Rep

    @Bruce said:
    is that really worth the money?

    it is

  • AnthonySmithAnthonySmith Member, Patron Provider

    Bruce said: is that really worth the money?

    Not having to reboot a node and disrupt customers for 2.99.... very much worth it.

  • @Bruce said:
    is that really worth the money?

    Considering its really cheap, i would guess so.

  • @Bruce said:
    is that really worth the money?

    Basically just asked is a pen worth it? Only if your GVH no

  • SpeedyKVMSpeedyKVM Banned, Member

    Maybe you guys see something different but kernel care for us shows 2.6.32-042stab108.2 as the latest, and no update, and no answer on their phones. We did a manual update and reboot on all nodes.

    Thanked by 1Lee
  • BruceBruce Member

    @Incero said:
    Maybe you guys see something different but kernel care for us shows 2.6.32-042stab108.2 as the latest, and no update, and no answer on their phones. We did a manual update and reboot on all nodes.

    seems really worth the $2.95 a month then

  • NeoonNeoon Community Contributor, Veteran
    edited June 2015

    Nevermind.

  • BruceBruce Member
    edited June 2015

    KernelCare runs a check for the availability of new patches every 4 hours.

    Kernel team monitors security mailing lists. Once they notice that there is a security vulnerability that affects one of the supported kernels - they prepare a patch for that vulnerability.

    Kernel RHEL6 042stab108.5
    Fix for a major security bug affecting simfs containers (CVE-2015-2925, #3256)
    Security fixes backported from RHEL6 kernel 2.6.32-504.23.4.el6 (RHSA-2015:1081-2):
    CPT fixes

    --SergeyB (talk) 14:16, 23 June 2015 (EDT)

    so, paying for quick service, and yet this update was released more than 1 day ago. a few people need to ask for a refund I think.

  • SpeedyKVMSpeedyKVM Banned, Member

    Apparently the bug fixes were in KC 108.2

  • BruceBruce Member

    @Incero said:
    We did a manual update and reboot on all nodes.

    http://kernelcare.com/about/testimonials.php

    time to update your testimonial :)

    looking forward to counting uptime in the years

    there goes your uptime :(

  • BruceBruce Member

    @Incero said:
    Apparently the bug fixes were in KC 108.2

    https://bugzilla.openvz.org/show_bug.cgi?id=3256

    108.2 was released in May. security bug wasn't posted until June

    • diff-fs-do-not-allow-to-escape-bind-mount-root-from-inside-ve
      Added to 042stab108_3
  • @Bruce said:
    so, paying for quick service, and yet this update was released more than 1 day ago. a few people need to ask for a refund I think.

    Because one late update makes the entire product utterly worthless.

    Is there an SLA that has been violated?

  • @Incero said:
    Maybe you guys see something different but kernel care for us shows 2.6.32-042stab108.2 as the latest, and no update, and no answer on their phones. We did a manual update and reboot on all nodes.

    My New York Wable VPS is now showing 108.5 after I rebooted it.

  • BruceBruce Member

    @Microlinux said:
    Because one late update makes the entire product utterly worthless.

    no, not saying that. might not be an SLA issue, but there's some expectation

  • SpeedBusSpeedBus Member, Host Rep

    KernelCare includes the patch but version number is the same

    [root@box ~]# kcarectl --uname
    2.6.32-042stab108.2
    
    [root@box ~]# kcarectl --patch-info
    ...............
    kpatch-name: 2.6.32/diff-fs-do-not-allow-to-escape-bind-mount-root-from-inside-ve.patch
    kpatch-description: fs: do not allow to escape bind mount root from inside ve
    kpatch-kernel:
    kpatch-cve: CVE-2015-2925
    kpatch-cvss: 6.0
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-2925
    kpatch-patch-url: https://openvz.org/Download/kernel/rhel6-testing/042stab108.3
    
  • MicrolinuxMicrolinux Member
    edited June 2015

    @Bruce said:
    might not be an SLA issue, but there's some expectation

    There is assumption and then there is reality. It's up to the purchaser to reconcile those prior to purchasing a product or service. There's no passing the buck when you assume.

  • @SpeedBus said:
    KernelCare includes the patch but version number is the same

    > [root@box ~]# kcarectl --uname
    > 2.6.32-042stab108.2
    > 
    > [root@box ~]# kcarectl --patch-info
    > ...............
    > kpatch-name: 2.6.32/diff-fs-do-not-allow-to-escape-bind-mount-root-from-inside-ve.patch
    > kpatch-description: fs: do not allow to escape bind mount root from inside ve
    > kpatch-kernel:
    > kpatch-cve: CVE-2015-2925
    > kpatch-cvss: 6.0
    > kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-2925
    > kpatch-patch-url: https://openvz.org/Download/kernel/rhel6-testing/042stab108.3
    > 

    I've always understood kernel version stays the same unless you do a reboot, but they apply the security updates instantly as a patch to your current kernel, hence the version showing the same.

  • SadySady Member

    Updated nodes earlier yesterday & rebooted in off-peak hours after an urgent announcment.

  • KernelCare are claiming they have patched this:

    http://patches.kernelcare.com/3560bd58ecb7287472b6912830ac401daedeab92/3/kpatch.html

    This supposed to be the BUG:

    CVE CVE-2015-2925, CVSSv2 Score: 6.0
    Description:

    fs: do not allow to escape bind mount root from inside ve
    Patch: 2.6.32/diff-fs-do-not-allow-to-escape-bind-mount-root-from-inside-ve.patch

  • KuJoeKuJoe Member, Host Rep
    edited June 2015

    @Incero Correct. KernelCare patched this on the 14th so for those asking, yes $2.99/month is worth it because having kernels patched before the official patch is released is awesome. :)

    For you KernelCare users, sign up for the mailing lists to save you some time and headache.

    Thanked by 3vimalware Bruce ryanarp
  • SpeedBusSpeedBus Member, Host Rep
    edited June 2015

    AshleyUk said: I've always understood kernel version stays the same unless you do a reboot, but they apply the security updates instantly as a patch to your current kernel, hence the version showing the same.

    Yup, but usually kcarectl --uname shows the newer kernel version which is what I found weird

    EDIT: They've just released the patch for 2.6.32-042stab108.5, https://groups.google.com/forum/#!topic/kernelcare-vz/aG-v--q0tUw

    This release has no security updates, as all necessary patches were released in on June 14, 2015

  • AnthonySmithAnthonySmith Member, Patron Provider

    Yep with KernelCare check the patch info don't worry as much about the kernel version displayed, a reboot is not needed.

    Very much worth it.

    Thanked by 1gestiondbi
  • We use Kernel Care too and it's working great with the updates.

  • I've been using KernelCare for some time now. Always great stuff.

Sign In or Register to comment.