oss-sec mailing list archives
Re: Linux kernel futex local privilege escalation (CVE-2014-3153)
From: rf () q-leap de
Date: Fri, 6 Jun 2014 17:43:28 +0200
"Greg" == Greg KH <greg () kroah com> writes:
>> Thanks for the reply. I did read your earlier message. To answer >> your question: I only apply patches that are absolutely necessary >> to fix a known problem. Greg> "known problem" to whom? :) To the people on oss-security e.g? Published CVEs and obviously problems we experience on our installations. Greg> With that kind of attitude, you are going to miss a lot of Greg> valuable kernel fixes for issues. I'd recommend using a Greg> stable kernel release instead, but hey, it's your systems... Probably something to tell Red Hat as well. They are still on 2.6.32 :) But they have their reasons just as we have ours ... >> Want to make sure the changed stuff doesn't lead to a regression >> somewhere else. Greg> Nothing is ever "sure" in software. That's not totally new to me :) So let's say "as sure as possible". >> Futex stuff is a central component in the kernel ... I can't >> judge about any possible side effects from reading the code ... >> and this kernel is going on a number of production clusters. Greg> Test it out first, like you should any update. There are Greg> futex test suites out there, run them yourself to verify that Greg> nothing is broken. As for if it fixes potentially future Greg> problems that others might not know about, well, that's a Greg> gamble on everyone's part, right? Right. Thanks for the hint with the test suites. Will try them out. >> Anyway, I've applied all the (2+4) patches to our 3.12. Greg> Why are you "stuck" at 3.12? We need quite a bit of out-of-kernel.org stuff. Without staying on a fixed release for some time, this is non-maintainable. Greg> There is someone still maintaining 3.12-stable, why not rely Greg> on those releases if you want that kernel version, instead of Greg> rolling your own? We thankfully do rely on that as our base. In this case though, the patches haven't been ported until this moment. And I can't wait for them to appear since there is no time-line when that will happen ... Thanks for your comments, Roland ------- http://www.q-leap.com / http://qlustar.com --- HPC / Storage / Cloud Linux Cluster OS ---
Current thread:
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153), (continued)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Phil Turnbull (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) John Johansen (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Rich Felker (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Solar Designer (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Rich Felker (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Thomas Gleixner (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) rf (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Greg KH (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) rf (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Greg KH (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) rf (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Rich Felker (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Greg KH (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Rich Felker (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Solar Designer (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Phil Turnbull (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Thomas Gleixner (Jun 07)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) mancha (Jun 07)