How to fix "Dirty COW" on CentOS 6.8(linux 2.6.32)?

[TrevorH]

No, CentOS does not work like that. When a new point release is made available, all updates for previous point releases stop. The next point release is the update. If you need to stay on a specific point release but still get security updates then you need to subscribe to the RHEL EUS program (and open your wallet).

[royster]

So, fix for CentOS 6.x is not yet ready, correct? Been reading up on the wrong board (CentOS 7.x) and looks like theirs is already ready? (viewtopic.php?f=51&t=59782&start=20)

Thanks.

[avij]

The above two messages were in relation to CentOS 6.7, which stopped being supported when 6.8 came out.

The kernel update for 6.8 was released early this morning (depending on your timezone) so you should get it with a simple yum update now.

[royster]

Thanks @avij. I'm on 6.8 and I've been doing yum updates/yum clean/etc (even did the rm -rf /var/cache/yum...) but I'm still on:

$ rpm -q kernel
kernel-2.6.32-358.11.1.el6.x86_64
kernel-2.6.32-358.18.1.el6.x86_64
kernel-2.6.32-431.11.2.el6.x86_64
kernel-2.6.32-642.6.1.el6.x86_64
kernel-2.6.32-642.6.2.el6.x86_64

Any thoughts?

Thanks.

[josie]

I updated earlier today

this command
$ rpm -q kernel
returns me the same info as you received

this command
$ uname -r
returns kernel-2.6.32-642.6.2.el6.x86_64

[enjinn]

Did you check to make sure your entries in grub updated to the new kernel?

[royster]

How to check @enjinn?

[enjinn]

Use your favorite editor (vi, vim, nano, etc) and open /boot/grub/grub.conf. I would read this first https://wiki.centos.org/HowTos/GrubInstallation before you edit the file.

[TrevorH]

The fixed kernel for CentOS 6 is kernel-2.6.32-642.6.2.el6.x86_64 as can be verified by running rpm -q --changelog kernel-2.6.32-642.6.2.el6.x86_64 | grep CVE-2016-5195

Code: Select all

$ rpm -q --changelog kernel-2.6.32-642.6.2.el6.x86_64 | grep CVE-2016-5195
- [mm] close FOLL MAP_PRIVATE race (Larry Woodman) [1385116 1385117] {CVE-2016-5195}

If you want to check if you're actually running the fixed kernel then you can run rpm -q --changelog kernel-$(uname -r) | grep CVE-2016-5195 which should return the same output if you're running a fixed kernel or nothing if you are not.

[avij]

In other words..

Running uname -r shows which kernel version you are running. For the Dirty COW fix, you would need to be running 2.6.32-642.6.2 or newer.

rpm -q kernel shows which kernel versions are installed on your system. If you see kernel-2.6.32-642.6.2.el6 in the output, you have the fixed kernel installed. If this does not match what you are actually running (see above), try rebooting with shutdown -r now and run the uname -r check again.