We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

Urgent and Important: Security fault


AdamD
19-11-2010, 10:41
Thanks Fozl

fozl
16-11-2010, 11:43
Yes, select a Netboot kernel and reboot is ok.

AdamD
16-11-2010, 10:45
So if we're currently booting from a preinstalled GRS OVH kernel, from the harddrive, we can simply switch to a netboot kernel and carry on as normal? Or do we have to update the kernel on the server itself?

I'm a little confused, it sounds as if the servers can be booted from the network, so we don't have to worry about kernel updates? Is that right?

Tipika
08-11-2010, 22:47
You mean that you upgraded without any problems?

yonatan
08-11-2010, 19:57
I am running 1.6 with no issues.

Tipika
08-11-2010, 19:03
I tried that guide, but it looks like is going to upgrade to 1.6
Due to changes made by ovh on the softraid, i am scared to upgrade

Anyone tried?

yonatan
02-11-2010, 17:49
Quote Originally Posted by Tipika
the kernel 2.6.35 is patched?
Yes, this version used by proxmox is patched.
but it lacks openVZ support.
so only if you use KVM only its for you.

Razakel
02-11-2010, 11:16
Quote Originally Posted by Tipika
Anyway, how this exploit works?
Without any user interaction " la windows", or it needs an user or apache exploit to be run?
I think it needs a user, but that user doesn't need to be privileged. Or a remote execution exploit will do it.

It's a serious enough vulnerability that you should update regardless.

Tipika
02-11-2010, 10:43
Anyway, how this exploit works?
Without any user interaction " la windows", or it needs an user or apache exploit to be run?

Neil
02-11-2010, 09:47
Quote Originally Posted by Tipika
the kernel 2.6.35 is patched?
Depends, the vulnerability was in 2.6.30 through to 2.6.36-rc8, but our netboot kernels have been patched so we recommend you use them.

Tipika
02-11-2010, 08:32
the kernel 2.6.35 is patched?

yonatan
30-10-2010, 01:13
Quote Originally Posted by Tipika
If i have proxmox, how to update the kernel?

The last time i tried to upgrade proxmox, i rendered my server unbootable
http://pve.proxmox.com/wiki/Proxmox_...#Kernel_2.6.35

Tipika
29-10-2010, 16:58
If i have proxmox, how to update the kernel?

The last time i tried to upgrade proxmox, i rendered my server unbootable

Myatu
18-09-2010, 10:57
Quote Originally Posted by mks
How do I update the kernal?
If you use one of OVH's distro's - with the exception of the virtualisation packages (ie., Proxmox, VMWare, etc) - then you can use the Netboot option to select one of OVH's updated kernels (Manager -> Dedicated Server -> Netboot) and then do a hard-reboot after making that change.

Myatu
18-09-2010, 10:55
Quote Originally Posted by slacker
2.6.34-RC4 is NOT patched!
The fix was commited on September 14th, two days after -rc4 had been released.
Nice catch, you're right

For those who compile the kernel, you can patch the source yourself though: http://www.kernel.org/diff/diffview....-git4.bz2;z=31

Hopefully OVH noticed this as well

mks
18-09-2010, 00:58
How do I update the kernal?

Myatu
17-09-2010, 23:39
Quote Originally Posted by raidensnake
even though mine isn't linux a friend wants to know if it affects centos 5.5 users?
Any 64-bit kernel including and after 2.6.27 *and* those before 2.6.22. I'd definitely upgrade to the latest kernel, as it's quite easy to exploit this bug.

LawsHosting
17-09-2010, 23:11
So 32bit kernals are ok by the looks of it? Yes, yes, I still use 32bit... Bite me!

makno
17-09-2010, 21:11
this type of message should be posted in english at least on the english forum, let's try to refresh my school year french and understand if i might be ion trouble or not :\

slacker
17-09-2010, 20:41
2.6.34-RC4 is NOT patched!
The fix was commited on September 14th, two days after -rc4 had been released.

raidensnake
17-09-2010, 20:28
even though mine isn't linux a friend wants to know if it affects centos 5.5 users?

MicroChip123
17-09-2010, 19:03
Hello
SI
you have a dedicated server
AND
it runs on Linux
AND
it is 64-bit
THEN
your server is hackable!

You NEED to update it! Do not wait!

The exploit, which provides the root is publicly
available.

What to do?
------------
Must update the kernel of your server.

How?
---------
- If you are in "total security":
you received an email from the Planning reboot
server, you have nothing to do

- If you are "netboot" / RPS / Cloud:
just reboot your server.

- If you're kernel Manual ":
you have the new kernels on
ftp://ftp.ovh.net/made-in-ovh/bzImage/
is the bzImage-2.6.34.6-xxxx

- If you compile:
on kernel.org sources are vulnerable. Must
patch. Only 2.6.36-RC4 is patched. (To be confirmed,
we were quickly checked).

After setting up the kernel you should see this:
Uname-a # *
XXXXXXX Linux 2.6.34.6-xxxx-std-ipv6-64 # 3 SMP Fri September 17
^^^^^^^^

We must see 2.6.34.6.

PS. Now there is only one nucleus (IPv4 IPv6)
named bzImage-xxxx-xxxx-ipv6

Details:
-------
A security vulnerability (CVE-2010-3301) to obtain
local root privilege has been (re) discovery
at the 32bit emulation on 64bit systems.

All 64bit kernels since 2.6.27 are vulnerable.

For history, the flaw had been fixed in 2007
2.6.22.7 (CVE-2007-4573), but a decline occurred
2008.

[Explanations and achievement: http://sota.gen.nz/compat2/]

Regards
Octave
That makes no sense can i have the proper translation

oles@ovh.net
17-09-2010, 18:54
Hello,

IF

you have a dedicated server

AND

it uses Linux

AND

it is 64-bit

THEN

your server is hackable !!!

You NEED to update it!! Do not wait!!!

The exploit providing the root is publicly available.

What to do?
------------
You must update the kernel of your server.

How ?
---------
- if you are in "total security":
You have received an email planning a reboot of the server, you have nothing to do

- If you are in "netboot" / RPS / Cloud:
just reboot your server.

- If you're "Manual kernel":
you have the new kernels on
ftp://ftp.ovh.net/made-in-ovh/bzImage/
It is the bzImage-2.6.34.6-xxxx

- if you compile:
the sources on kernel.org are vulnerable. It must be patched. Only 2.6.36-RC4 is patched. (To be confirmed, we are quickly checking).

After setting up the kernel you should see this:
#*uname -a
Linux XXXXXXX 2.6.34.6-xxxx-std-ipv6-64 #3 SMP Fri Sep 17
^^^^^^^^

We must see 2.6.34.6.

PS. Now there is only one kernel (IPv4 + IPv6) called bzImage-xxxx-ipv6-xxxx

Detail:
-------

to obtain local root privileges just

A security fault (CVE-2010-3301) allowing the obtaining locally of root privileges to be (re)discovered for 32-bit emulation on the 64-bit systems.

All 64-bit kernels since 2.6.27 are vulnerable.

For history, the flaw had been fixed in 2007 in the 2.6.22.7 (CVE-2007-4573), but a decline occurred in 2008.

[explications and exploit: http://sota.gen.nz/compat2/]

All the best,
Octave