oss-sec mailing list archives
Re: Linux kernel futex local privilege escalation (CVE-2014-3153)
From: rf () q-leap de
Date: Fri, 6 Jun 2014 17:43:28 +0200
"Greg" == Greg KH <greg () kroah com> writes:
>> Thanks for the reply. I did read your earlier message. To answer
>> your question: I only apply patches that are absolutely necessary
>> to fix a known problem.
Greg> "known problem" to whom? :)
To the people on oss-security e.g? Published CVEs and obviously problems we
experience on our installations.
Greg> With that kind of attitude, you are going to miss a lot of
Greg> valuable kernel fixes for issues. I'd recommend using a
Greg> stable kernel release instead, but hey, it's your systems...
Probably something to tell Red Hat as well. They are still on 2.6.32 :)
But they have their reasons just as we have ours ...
>> Want to make sure the changed stuff doesn't lead to a regression
>> somewhere else.
Greg> Nothing is ever "sure" in software.
That's not totally new to me :) So let's say "as sure as possible".
>> Futex stuff is a central component in the kernel ... I can't
>> judge about any possible side effects from reading the code ...
>> and this kernel is going on a number of production clusters.
Greg> Test it out first, like you should any update. There are
Greg> futex test suites out there, run them yourself to verify that
Greg> nothing is broken. As for if it fixes potentially future
Greg> problems that others might not know about, well, that's a
Greg> gamble on everyone's part, right?
Right. Thanks for the hint with the test suites. Will try them out.
>> Anyway, I've applied all the (2+4) patches to our 3.12.
Greg> Why are you "stuck" at 3.12?
We need quite a bit of out-of-kernel.org stuff. Without staying on a
fixed release for some time, this is non-maintainable.
Greg> There is someone still maintaining 3.12-stable, why not rely
Greg> on those releases if you want that kernel version, instead of
Greg> rolling your own?
We thankfully do rely on that as our base. In this case though, the
patches haven't been ported until this moment. And I can't wait for them
to appear since there is no time-line when that will happen ...
Thanks for your comments,
Roland
-------
http://www.q-leap.com / http://qlustar.com
--- HPC / Storage / Cloud Linux Cluster OS ---
Current thread:
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153), (continued)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Phil Turnbull (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) John Johansen (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Rich Felker (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Solar Designer (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Rich Felker (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Thomas Gleixner (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) rf (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Greg KH (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) rf (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Greg KH (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) rf (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Rich Felker (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Greg KH (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Rich Felker (Jun 06)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Solar Designer (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Phil Turnbull (Jun 05)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) Thomas Gleixner (Jun 07)
- Re: Linux kernel futex local privilege escalation (CVE-2014-3153) mancha (Jun 07)