Kernel Vulnerability in Elastix 2.0.1

Discussion in 'General' started by wavesound, Sep 23, 2010.

  1. wavesound

    Joined:
    Sep 21, 2009
    Messages:
    3
    Likes Received:
    0
    There's a serious vulnerability in the Linux kernel shipped with Elastix 2.0.0, 2.0.1 and potentially 1.6. This vulnerability would allow users to elevate themselves to the root console...

    http://bugs.centos.org/view.php?id=4518

    Will we be seeing a new kernel in the yum repository or should we plan to patch this manually?
     
  2. doncipo

    Joined:
    Jun 3, 2010
    Messages:
    18
    Likes Received:
    0
    I think you guys should really consider upgrading the kernel to latest Centos kernel version for Elastix 1.5, 1.6 and 2.0 or at least publish an "howto build Elastix updated kernel from source".
     
  3. Lee Sharp

    Joined:
    Sep 28, 2010
    Messages:
    332
    Likes Received:
    0
    I am lost... This seems to only be on the 2.6.18 branch, and Elastix 2.0.x is on the 2.6.32 branch. I can find no links to this vulnerability on 2.6.32... Am I wrong?
     
  4. rafael

    Joined:
    May 14, 2007
    Messages:
    1,454
    Likes Received:
    1
    Re: Re:Kernel Vulnerability in Elastix 2.0.1

    Hi guys, can you please post this in the bug track system?
    http://bugs.elastix.org

    Developers are not here most of the time, but they must read the bug track everytime.

    regards,

    Rafael
     
  5. doncipo

    Joined:
    Jun 3, 2010
    Messages:
    18
    Likes Received:
    0
  6. Lee Sharp

    Joined:
    Sep 28, 2010
    Messages:
    332
    Likes Received:
    0
    Are there? Can you show me a link that talks about this vuln in the 2.6.32 branch?
     
  7. wavesound

    Joined:
    Sep 21, 2009
    Messages:
    3
    Likes Received:
    0
    http://www.ubuntu.com/usn/usn-988-1
     
  8. Lee Sharp

    Joined:
    Sep 28, 2010
    Messages:
    332
    Likes Received:
    0
    I stand corrected. Good find!
     
  9. doncipo

    Joined:
    Jun 3, 2010
    Messages:
    18
    Likes Received:
    0
    Why is this bug taking so long to solve ? Building a new kernel should be a relatively simple task.
     
  10. doncipo

    Joined:
    Jun 3, 2010
    Messages:
    18
    Likes Received:
    0
    Yet another important kernel security update issued by RedHat http://rhn.redhat.com/errata/RHSA-2010-0792.html

    =======================================================================

    This update fixes the following security issue:

    * The rds_page_copy_user() function in the Linux kernel Reliable Datagram
    Sockets (RDS) protocol implementation was missing sanity checks. A local,
    unprivileged user could use this flaw to escalate their privileges.
    (CVE-2010-3904, Important)

    ========================================================================

    The actual Elastix kernel is looking like schweitzer cheese :D

    C'mon guys this is getting frustrating !
     
  11. donhwyo

    Joined:
    Aug 8, 2008
    Messages:
    293
    Likes Received:
    0
    You must be rolling your own.

    uname -r 2.6.18-164.el5 for 1.6x

    uname -r 2.6.18-194.3.1.el5 for 2.x

    uname -r 2.6.18-194.17.4.el5 for plan centos

    Don
     

Share This Page