Stack Clash / Stack Guard Page vulnerability ...
-
- Posts: 2
- Joined: 2017/06/19 20:03:44
- Location: Chicago-land
Stack Clash / Stack Guard Page vulnerability ...
As reported by Qualys (https://blog.qualys.com/securitylabs/20 ... tack-clash), Stack Clash is a memory management vulnerability. Related vulnerabilities are CVE-2017-1000364, CVE-2017-1000365, and CVE-2017-1000367, and Qualys's advisory is at https://www.qualys.com/2017/06/19/stack ... -clash.txt
Security patch time-frame?
Security patch time-frame?
Re: Stack Clash / Stack Guard Page vulnerability ...
See https://access.redhat.com/security/vuln ... stackguard
Note that CentOS rebuilds updates published by Red Hat when they become available, and the CentOS Project does not have any "inside" information about release dates or such.
Note that CentOS rebuilds updates published by Red Hat when they become available, and the CentOS Project does not have any "inside" information about release dates or such.
Re: Stack Clash / Stack Guard Page vulnerability ...
Yet again I'm pulling my hair over CentOS being slow to release patches for another serious bug, which there exists patches for both upstream and for Scientific Linux (not to mention other distros like Debian).
I mean, this is priv-esc (and might be exploitable remotely), which there exists PoC exploits for in the wild.
So please, can we get some decent information/somewhat ETA?
I mean, this is priv-esc (and might be exploitable remotely), which there exists PoC exploits for in the wild.
So please, can we get some decent information/somewhat ETA?
Re: Stack Clash / Stack Guard Page vulnerability ...
@wrc As CentOS is free and the community is doing a great job, I guess there is no reason to complain about being slow.
Still, I would like to ask for an update about the patches for the Stack Clash vulnerability. From what I have read, Red Hat has released there patches already. Which from my understanding means that they can be merged into CentOS.
Red Hat announcement: https://access.redhat.com/security/vuln ... stackguard
I understand that the community might be busy working on it. I am not asking about the fix now but it would be great to get an estimate for when approximately the patches might be available.
Thanks a lot!
Still, I would like to ask for an update about the patches for the Stack Clash vulnerability. From what I have read, Red Hat has released there patches already. Which from my understanding means that they can be merged into CentOS.
Red Hat announcement: https://access.redhat.com/security/vuln ... stackguard
I understand that the community might be busy working on it. I am not asking about the fix now but it would be great to get an estimate for when approximately the patches might be available.
Thanks a lot!
Re: Stack Clash / Stack Guard Page vulnerability ...
The patches for CentOS 6 are already out and propagating to the mirrors at the moment. The CentOS 7 kernels are more complicated as they need to be signed for secure boot but should be along shortly.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Stack Clash / Stack Guard Page vulnerability ...
@gerhard: Yes, I do appreciate the work on CentOS (even though my initial post might seem a bit harsh), but I'd also appreciate maybe an announcement on CentOS-announce mailing list so we can schedule time for updating and rebooting hundreds of production servers. I'm just annoyed by the fact that it seems to take longer for CentOS to update when shit hits the fan and/or information being a bit lacking, when equivalent (read: Scientific Linux) does this better. They released the patches for SL6 and SL7 yesterday and announced it in their dev blog.
@TrevorH: Thank you for the update, I see the announcement hit CentOS-announce finally. Will start upgrading our CentOS 6 boxes and continue with CentOS 7 boxes after that.
@TrevorH: Thank you for the update, I see the announcement hit CentOS-announce finally. Will start upgrading our CentOS 6 boxes and continue with CentOS 7 boxes after that.
Re: Stack Clash / Stack Guard Page vulnerability ...
CentOS 7 updates for both glibc and kernel were pushed to mirrors a few hours ago. You should now be able to yum update to get the updates.
-
- Posts: 2
- Joined: 2017/06/19 20:03:44
- Location: Chicago-land
Re: Stack Clash / Stack Guard Page vulnerability ...
Thank you ... appreciate the update!
Re: Stack Clash / Stack Guard Page vulnerability ...
Dear all,
I have updated my system with command
yum update glibc kernel*
after this, I ran test script provided by Redhat at URL
https://access.redhat.com/security/vuln ... stackguard under Diagnose section
and the result show that the kernel is still vulnerable.
May I know if more patch for CentOS will be released or should I just gnore the return message?
Please refer the imgs, thanks in advance
script test before update
script test after update
I have updated my system with command
yum update glibc kernel*
after this, I ran test script provided by Redhat at URL
https://access.redhat.com/security/vuln ... stackguard under Diagnose section
and the result show that the kernel is still vulnerable.
May I know if more patch for CentOS will be released or should I just gnore the return message?
Please refer the imgs, thanks in advance
script test before update
script test after update
Re: Stack Clash / Stack Guard Page vulnerability ...
Thanks for the update! Great work!