View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions CVE-2012-0056
Log in to Ask a Question

CVE-2012-0056

general

I'm running Debian squeeze: uname -r -> 2.6.39.1-linode34

Debian says this is fixed: http://security-tracker.debian.org/trac … -2012-0056">http://security-tracker.debian.org/tracker/CVE-2012-0056

I am vulnerable: http://grsecurity.net/~spender/correct_ … producer.c">http://grsecurity.net/~spender/correctprocmem_reproducer.c

(download code to a.c; make a.c; ./a)

(nice instructions here: http://www.outflux.net/blog/archives/20 … systemtap/">http://www.outflux.net/blog/archives/2012/01/22/fixing-vulnerabilities-with-systemtap/)

I would like to fix/patch this, but am not quite sure what to do.

16 Replies

Edit the configuration profile for your Linode, select the latest kernel (3.2.1) and reboot.

We've released new Linode kernels to address this issue.

32-bit: "Latest 3.0 (3.0.17-linode41)"

64-bit: "Latest 3.2 (3.2.1-x86_64-linode23)"

Simply select the respective kernel for your Linode in the configuration profile and reboot.

-Tim

It's also worth noting that, if I am reading correctprocmem_reproducer.c right, it does not test if you are vulnerable to CVE-2012-0056, but rather only tests if you have applied the systemtap patch or not.

So don't freak out if the test says you're "vulnerable" on a patched kernel.

Glad chacham asked the question or I wouldn't have known. Shouldn't an email have gone out saying "your current kernel is deprecated due to a serious security risk please login, choose the latest and reboot"?

It was posted here http://www.linode.com/kernels/ they have an rss feed you can subscribe to

You guys rock!

It's as easy as

1) Edit

2) Save

3) Reboot

I second the notion of a security email.

As for the code, seem right. After the reboot, it still told me i was vulnerable.

uname -r - >3.0.17-linode41

And it is fixed. hack tried by my local script kiddie. :)

@chacham:

I second the notion of a security email.
Linode is an unmanaged service – it's up to us to keep an eye on this sort of thing. Subscribe to this: www.linode.com/kernels/rss.xml.

Thanx for the link.

The RSS feed doesn't mention severity. I understand it doesn't have to. But it'd be nice to have a list (or even this or another RSS feed) to bring critical patches to mind.

@pclissold:

@chacham:

I second the notion of a security email.
Linode is an unmanaged service – it's up to us to keep an eye on this sort of thing. Subscribe to this: www.linode.com/kernels/rss.xml.

Perhaps Linode should then also remove these useful services:

http://www.linode.com/features.cfm

<2 cents>

Those are on-demand, automated features that let us manage our 'nodes ourselves, not services they perform for us. Would it be nice if they provided a notice? Sure, but not everyone can change kernels without testing software first. And not everyone wants Linode tracking what they're doing with their Linode :wink: Plus there are already plenty of security services out there that let people track vulnerabilities, including email lists. Anyone worried enough about kernel vuln's should already be looking at those. Internet Storm Center is a good place to start feeling paranoid, plus help you find stuff to mitigate threats (e.g.: the DShield Block List)

Note, that even if we know of the vulnerabilities, we can't do anything without a kernel available here. Hence, they have to fix it. So, if they do, it'd be nice if they told us about it.

A wish, that's all.

@chacham:

Note, that even if we know of the vulnerabilities, we can't do anything without a kernel available here. Hence, they have to fix it. So, if they do, it'd be nice if they told us about it.

A wish, that's all.

That's incorrect. You can load whatever kernel you want, so you can do something, and they don't have to fix it for you to be protected.

Hmm… i assumed wrongly then. i thought the reason for the -linode kernels was that they were required.

@chacham:

Hmm… i assumed wrongly then. i thought the reason for the -linode kernels was that they were required.

They're convenient. They're automatically the latest approved kernel from Linode, so a simple reboot is often enough to get you the latest approved kernel. They've got a configuration set that's optimally compatible with linodes (although mistakes have been known to be made). It's a "set it and forget it" kind of thing.

You can, however, load whichever kernel you want by selecting the pv-grub option. When that's selected, Xen will boot your linode with whichever the default kernel you've configured grub to use.

Some people on linode even use ksplice to get kernel updates without rebooting, although I don't know what the situation with ksplice is after they were bought out by Oracle. They seem to still be offering service for Ubuntu and Fedora, but have dropped support for everything else, and it may only be a matter of time before everything but Oracle Linux gets dropped.

My 1 cent (all I can afford!). The kernel is the one part of my linode that I don't really control myself; posting an announcement in the normal announcement places (and not just some RSS feed) would be an advantage.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct