Does it make sense to update the kernel from:
kernel-3.10.0-1127.el7.x86_64
to:
kernel-3.10.0-1127.10.1.el7
even when I have no problems with the original kernel ?
Kernel Update - does it make sense, even no problems ?
-
- Posts: 35
- Joined: 2020/05/05 19:44:15
Re: Kernel Update - does it make sense, even no problems ?
Yes. You're several kernels backlevel from the current one and those fix a number of security problems. You can see the rpm changelog by running
rpm -q --changelog kernel-3.10.0-1127.10.1.el7.x86_64 | less
and if you want to see the list of CVE's fixed then run
You can look up those CVEs by consulting e.g https://access.redhat.com/security/cve/CVE-2020-10711 and read about what they are.
rpm -q --changelog kernel-3.10.0-1127.10.1.el7.x86_64 | less
and if you want to see the list of CVE's fixed then run
Code: Select all
[trevor@centos7 ~]$ rpm -q --changelog kernel-3.10.0-1127.10.1.el7.x86_64 | head -101 | grep -i cve
- [net] netlabel: cope with NULL catmap (Paolo Abeni) [1827239 1827240] {CVE-2020-10711}
- [kernel] blktrace: fix dereference after null check (Ming Lei) [1806367 1798318] {CVE-2019-19768}
- [kernel] blktrace: Protect q->blk_trace with RCU (Ming Lei) [1806367 1798318] {CVE-2019-19768}
- [kernel] blktrace: fix trace mutex deadlock (Ming Lei) [1806367 1798318] {CVE-2019-19768}
- [kernel] blktrace: fix unlocked registration of tracepoints (Ming Lei) [1806367 1798318] {CVE-2019-19768}
- [kernel] blktrace: fix unlocked access to init/start-stop/teardown (Ming Lei) [1806367 1798318] {CVE-2019-19768}
- [kernel] tracing: Fix possible double free on failure of allocating trace buffer (Jerome Marchand) [1803010 1803011] {CVE-2017-18595}
- [kernel] tracing: Fix crash when it fails to alloc ring buffer (Jerome Marchand) [1803010 1803011] {CVE-2017-18595}
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke