[Triumf-linux-managers] 'CRITICAL' Risk CVE-2016-5195 - trcomp cluster
Andrew Daviel
advax at triumf.ca
Mon Oct 24 19:17:37 PDT 2016
On Sun, 23 Oct 2016, Andrew Daviel wrote:
> I am still uncertain about whether to recommend the systemtap patch; people
> are still arguing on bugzilla.
There is a RHEL patch RHEL 7 per
https://rhn.redhat.com/errata/RHSA-2016-2098.html
- kernel-3.10.0-327.36.3.el7.x86_64.rpm which has appeared for SL
and should appear for CentOS soon.
I have implemeted the Systemtap mitigation on trcomp01 and trcomp02,
since at the time of writing there does not appear to be an
official updated kernel for RHEL 5 or 6, and there are a large number of
user accounts on that cluster.
This has a side effect of blocking ptrace, and things that depend on it
(gdb, strace)
There is an unofficial patched kernel for CentOS 6 2.6.32-642.6.1 at
http://rep.grid.kiae.ru/pub/cve-2016-5195/
I have not tried it.
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
More information about the Triumf-linux-managers
mailing list