CVE-2021-33909

Support for security such as Firewalls and securing linux
john.lauro
Posts: 2
Joined: 2019/09/26 15:49:03

Re: CVE-2021-33909

Post by john.lauro » 2021/07/29 13:30:01

harrywangca wrote:
2021/07/27 04:56:04
I am running CentOS 7.6 1810 and I referred to :

https://lists.centos.org/pipermail/cent ... 48344.html
and
http://mirror.centos.org/centos/7/updat ... s/?C=M;O=D
to download:
bpftool-3.10.0-1160.36.2.el7.x86_64.rpm
kernel-3.10.0-1160.36.2.el7.x86_64.rpm
...
to put all together into a folder and go to that folder to apply all rpm via: yes | yum --disablerepo=\* update ./*.rpm ;

It works! no vulnerability to my system now.

Good luck
How did you verify no vulnerability on your system?

I have kernel-3.10.0-1160.36.2.el7.x86_64 installed and running, but the CVE doesn't show with yum changelog all kernel

(EL8 boxes are good, but not EL7).

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2021-33909

Post by TrevorH » 2021/07/29 16:44:19

EL8 rpm changelog

* Mon Jul 12 2021 Jan Stancek <jstancek@redhat.com> [4.18.0-305.10.2.el8_4]
- seq_file: Disallow extremely large seq buffer allocations (Ian Kent) [1975181 1975182] {CVE-2021-33909}

EL7 rpm changelog

* Wed Jul 07 2021 Augusto Caringi <acaringi@redhat.com> [3.10.0-1160.36.2.el7]
- seq_file: Disallow extremely large seq buffer allocations (Ian Kent) [1975251]

Same problem description, just missing the CVE number.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

jojoe
Posts: 8
Joined: 2020/08/03 15:39:32
Location: Munich, Germany

Re: CVE-2021-33909

Post by jojoe » 2021/07/30 11:05:11

Any news when kernel addressing CVE-2021-33909 will be available ?

[root@vicb-submit-01 ~]# cat /etc/centos-release ; uname -a ; yum check-update
CentOS Linux release 7.9.2009 (Core)
Linux vicb-submit-01.scidom.de 3.10.0-1160.36.2.el7.x86_64 #1 SMP Wed Jul 21 11:57:15 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: ftp.plusline.net
* epel: scientificlinux.physik.uni-muenchen.de
* extras: ftp.fau.de
* updates: ftp.fau.de


IGNORE this query
================

[root@vicb-submit-01 ~]# rpm -q --changelog kernel-3.10.0-1160.36.2.el7.x86_64 |grep CVE |head -10
- media: xirlink_cit: add missing descriptor sanity checks (Mark Langsdorf) [1826877] {CVE-2020-11668}
- Bluetooth: verify AMP hci_chan before amp_destroy (Gopal Tiwari) [1962532] {CVE-2021-33034}
- sched/fair: Use RCU accessors consistently for ->numa_group (Rafael Aquini) [1915635] {CVE-2019-20934}
- sched/fair: Don't free p->numa_faults with concurrent readers (Rafael Aquini) [1915635] {CVE-2019-20934}
- sched/numa: Simplify task_numa_compare() (Rafael Aquini) [1915635] {CVE-2019-20934}
- sched/numa: Fix task_numa_free() lockdep splat (Rafael Aquini) [1915635] {CVE-2019-20934}


but as Trevorti mentioned changelog did not mention the CVE just description
[root@vicb-submit-01 ~]# rpm -q --changelog kernel-3.10.0-1160.36.2.el7.x86_64 | head -10
* Wed Jul 07 2021 Augusto Caringi <acaringi@redhat.com> [3.10.0-1160.36.2.el7]
- seq_file: Disallow extremely large seq buffer allocations (Ian Kent) [1975251]

* Wed Jul 07 2021 Augusto Caringi <acaringi@redhat.com> [3.10.0-1160.36.1.el7]
- cipso,calipso: resolve a number of problems with the DOI refcounts (Antoine Tenart) [1967720]
- net: ethernet: mlx4: Fix memory allocation in mlx4_buddy_init() (Alaa Hleihel) [1962406]
- sched/debug: Fix cgroup_path[] serialization (Waiman Long) [1912221]
- sched/debug: Reset watchdog on all CPUs while processing sysrq-t (Waiman Long) [1912221]
- vt: vt_ioctl: fix use-after-free in vt_in_use() (Vladis Dronov) [1872778]

harrywangca
Posts: 107
Joined: 2016/01/12 23:27:04
Location: Vista California

Re: CVE-2021-33909

Post by harrywangca » 2021/08/05 03:16:00

john.lauro wrote:
2021/07/29 13:30:01
harrywangca wrote:
2021/07/27 04:56:04
I am running CentOS 7.6 1810 and I referred to :

https://lists.centos.org/pipermail/cent ... 48344.html
and
http://mirror.centos.org/centos/7/updat ... s/?C=M;O=D
to download:
bpftool-3.10.0-1160.36.2.el7.x86_64.rpm
kernel-3.10.0-1160.36.2.el7.x86_64.rpm
...
to put all together into a folder and go to that folder to apply all rpm via: yes | yum --disablerepo=\* update ./*.rpm ;

It works! no vulnerability to my system now.

Good luck
How did you verify no vulnerability on your system?

I have kernel-3.10.0-1160.36.2.el7.x86_64 installed and running, but the CVE doesn't show with yum changelog all kernel

(EL8 boxes are good, but not EL7).
https://github.com/RedHatProductSecurit ... s/releases
Download script: CVE-2021-33909--2021-07-27-1306.sh to test

RandX
Posts: 1
Joined: 2021/08/11 12:07:56

Re: CVE-2021-33909

Post by RandX » 2021/08/11 12:14:14

Hi all,

New to the forums, glad to be here :-)

Any idea on how to easily fix this for CentOS 7 yet? I have systemd ver. 219 running on mine and there's quite a few. It would be great with just a single RPM or something available from a mirror, you know, something quick and easy.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2021-33909

Post by TrevorH » 2021/08/11 12:59:25

yum update

Is that simple enough? The fix was released by Red Hat for RHEL 7 on the 20th July then rebuilt for CentOS on the 21st and released on the 22nd. I'm not really sure why people keep asking where it is when it's been out for 3 weeks already. The fixed version is kernel-3.10.0-1160.36.2.el7.x86_64
(or higher).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply