New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
OpenVZ Security Update (Kernel RHEL6 042stab108.5)
An update for OpenVZ (RHEL6) was just released to address various security vulnerabilities and it is recommended that you update as soon as possible.
Comments
already patched testing nodes
Thanks for the info, BRB escalating to host node fs.
KernelCare
is that really worth the money?
it is
Not having to reboot a node and disrupt customers for 2.99.... very much worth it.
Considering its really cheap, i would guess so.
Basically just asked is a pen worth it? Only if your GVH no
Maybe you guys see something different but kernel care for us shows 2.6.32-042stab108.2 as the latest, and no update, and no answer on their phones. We did a manual update and reboot on all nodes.
seems really worth the $2.95 a month then
Nevermind.
so, paying for quick service, and yet this update was released more than 1 day ago. a few people need to ask for a refund I think.
Apparently the bug fixes were in KC 108.2
http://kernelcare.com/about/testimonials.php
time to update your testimonial
there goes your uptime
https://bugzilla.openvz.org/show_bug.cgi?id=3256
108.2 was released in May. security bug wasn't posted until June
Because one late update makes the entire product utterly worthless.
Is there an SLA that has been violated?
My New York Wable VPS is now showing 108.5 after I rebooted it.
no, not saying that. might not be an SLA issue, but there's some expectation
KernelCare includes the patch but version number is the same
There is assumption and then there is reality. It's up to the purchaser to reconcile those prior to purchasing a product or service. There's no passing the buck when you assume.
I've always understood kernel version stays the same unless you do a reboot, but they apply the security updates instantly as a patch to your current kernel, hence the version showing the same.
Updated nodes earlier yesterday & rebooted in off-peak hours after an urgent announcment.
KernelCare are claiming they have patched this:
http://patches.kernelcare.com/3560bd58ecb7287472b6912830ac401daedeab92/3/kpatch.html
This supposed to be the BUG:
CVE CVE-2015-2925, CVSSv2 Score: 6.0
Description:
fs: do not allow to escape bind mount root from inside ve
Patch: 2.6.32/diff-fs-do-not-allow-to-escape-bind-mount-root-from-inside-ve.patch
@Incero Correct. KernelCare patched this on the 14th so for those asking, yes $2.99/month is worth it because having kernels patched before the official patch is released is awesome.
For you KernelCare users, sign up for the mailing lists to save you some time and headache.
Yup, but usually kcarectl --uname shows the newer kernel version which is what I found weird
EDIT: They've just released the patch for 2.6.32-042stab108.5, https://groups.google.com/forum/#!topic/kernelcare-vz/aG-v--q0tUw
Yep with KernelCare check the patch info don't worry as much about the kernel version displayed, a reboot is not needed.
Very much worth it.
We use Kernel Care too and it's working great with the updates.
I've been using KernelCare for some time now. Always great stuff.