CentOS

As reported by Qualys (https://blog.qualys.com/securitylabs/20 ... tack-clash), Stack Clash is a memory management vulnerability. Related vulnerabilities are CVE-2017-1000364, CVE-2017-1000365, and CVE-2017-1000367, and Qualys's advisory is at https://www.qualys.com/2017/06/19/stack ... -clash.txt

Security patch time-frame?

See https://access.redhat.com/security/vuln ... stackguard

Note that CentOS rebuilds updates published by Red Hat when they become available, and the CentOS Project does not have any "inside" information about release dates or such.

Yet again I'm pulling my hair over CentOS being slow to release patches for another serious bug, which there exists patches for both upstream and for Scientific Linux (not to mention other distros like Debian).

I mean, this is priv-esc (and might be exploitable remotely), which there exists PoC exploits for in the wild.

So please, can we get some decent information/somewhat ETA?

@wrc As CentOS is free and the community is doing a great job, I guess there is no reason to complain about being slow.

Still, I would like to ask for an update about the patches for the Stack Clash vulnerability. From what I have read, Red Hat has released there patches already. Which from my understanding means that they can be merged into CentOS.

Red Hat announcement: https://access.redhat.com/security/vuln ... stackguard

I understand that the community might be busy working on it. I am not asking about the fix now but it would be great to get an estimate for when approximately the patches might be available.

Thanks a lot!

The patches for CentOS 6 are already out and propagating to the mirrors at the moment. The CentOS 7 kernels are more complicated as they need to be signed for secure boot but should be along shortly.

@gerhard: Yes, I do appreciate the work on CentOS (even though my initial post might seem a bit harsh), but I'd also appreciate maybe an announcement on CentOS-announce mailing list so we can schedule time for updating and rebooting hundreds of production servers. I'm just annoyed by the fact that it seems to take longer for CentOS to update when shit hits the fan and/or information being a bit lacking, when equivalent (read: Scientific Linux) does this better. They released the patches for SL6 and SL7 yesterday and announced it in their dev blog.

@TrevorH: Thank you for the update, I see the announcement hit CentOS-announce finally. Will start upgrading our CentOS 6 boxes and continue with CentOS 7 boxes after that.

CentOS 7 updates for both glibc and kernel were pushed to mirrors a few hours ago. You should now be able to yum update to get the updates.

Thank you ... appreciate the update!

Dear all,

I have updated my system with command
yum update glibc kernel*
after this, I ran test script provided by Redhat at URL
https://access.redhat.com/security/vuln ... stackguard under Diagnose section
and the result show that the kernel is still vulnerable.

May I know if more patch for CentOS will be released or should I just gnore the return message?
Please refer the imgs, thanks in advance

script test before update


script test after update

Thanks for the update! Great work!