Linode Forum

[chacham]

I'm running Debian squeeze: uname -r -> 2.6.39.1-linode34

Debian says this is fixed: http://security-tracker.debian.org/tracker/CVE-2012-0056

I am vulnerable: http://grsecurity.net/~spender/correct_proc_mem_reproducer.c

(download code to a.c; make a.c; ./a)

(nice instructions here: http://www.outflux.net/blog/archives/2012/01/22/fixing-vulnerabilities-with-systemtap/)

I would like to fix/patch this, but am not quite sure what to do.

[GLaDOSDan]

Edit the configuration profile for your Linode, select the latest kernel (3.2.1) and reboot.

[theckman]

We've released new Linode kernels to address this issue.

32-bit: "Latest 3.0 (3.0.17-linode41)"
64-bit: "Latest 3.2 (3.2.1-x86_64-linode23)"

Simply select the respective kernel for your Linode in the configuration profile and reboot.

-Tim

[bss]

It's also worth noting that, if I am reading correct_proc_mem_reproducer.c right, it does not test if you are vulnerable to CVE-2012-0056, but rather only tests if you have applied the systemtap patch or not.

So don't freak out if the test says you're "vulnerable" on a patched kernel.

[jebblue]

Glad chacham asked the question or I wouldn't have known. Shouldn't an email have gone out saying "your current kernel is deprecated due to a serious security risk please login, choose the latest and reboot"?

[obs]

It was posted here http://www.linode.com/kernels/ they have an rss feed you can subscribe to

[chacham]

You guys rock!

It's as easy as

1) Edit
2) Save
3) Reboot

I second the notion of a security email.

As for the code, seem right. After the reboot, it still told me i was vulnerable.

uname -r - >3.0.17-linode41

[chacham]

And it is fixed. hack tried by my local script kiddie. :)

[pclissold]

chacham wrote: I second the notion of a security email.
Linode is an unmanaged service -- it's up to us to keep an eye on this sort of thing. Subscribe to this: www.linode.com/kernels/rss.xml.

[chacham]

Thanx for the link.

The RSS feed doesn't mention severity. I understand it doesn't have to. But it'd be nice to have a list (or even this or another RSS feed) to bring critical patches to mind.

[jebblue]

pclissold wrote: chacham wrote: I second the notion of a security email.
Linode is an unmanaged service -- it's up to us to keep an eye on this sort of thing. Subscribe to this: www.linode.com/kernels/rss.xml.

Perhaps Linode should then also remove these useful services:

http://www.linode.com/features.cfm

[AgentOfPork]

<2 cents>
Those are on-demand, automated features that let us manage our 'nodes ourselves, not services they perform for us. Would it be nice if they provided a notice? Sure, but not everyone can change kernels without testing software first. And not everyone wants Linode tracking what they're doing with their Linode :wink: Plus there are already plenty of security services out there that let people track vulnerabilities, including email lists. Anyone worried enough about kernel vuln's should already be looking at those. Internet Storm Center is a good place to start feeling paranoid, plus help you find stuff to mitigate threats (e.g.: the DShield Block List)

</2 cents>

[chacham]

Note, that even if we know of the vulnerabilities, we can't do anything without a kernel available here. Hence, they have to fix it. So, if they do, it'd be nice if they told us about it.

A wish, that's all.

[Guspaz]

chacham wrote: Note, that even if we know of the vulnerabilities, we can't do anything without a kernel available here. Hence, they have to fix it. So, if they do, it'd be nice if they told us about it.

A wish, that's all.

That's incorrect. You can load whatever kernel you want, so you can do something, and they don't have to fix it for you to be protected.

[chacham]

Hmm... i assumed wrongly then. i thought the reason for the -linode kernels was that they were required.