CVE-2021-4034 (pwnkit)

Support for security such as Firewalls and securing linux
robfico2
Posts: 1
Joined: 2022/01/26 04:11:07

polkit vulnerability patch?

Post by robfico2 » 2022/01/26 04:13:02

With the recent polkit root compromise vulnerability, do you know when centOS 7 will release the updated polkit package? RHEL has it available already.

JvE
Posts: 1
Joined: 2022/01/26 10:00:28

CVE-2021-4034 (pwnkit)

Post by JvE » 2022/01/26 10:04:11

RedHat has a polkit-0.112-26.el7_9.1 available.
When can we expect an updated PolKit package for CentOS 7?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2021-4034 (pwnkit)

Post by TrevorH » 2022/01/26 10:48:33

The update is built and has been through QA, it neds to be signed and released but it's the middle of the night in the USA so...
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

hawaiian717
Posts: 184
Joined: 2009/01/30 19:58:25
Location: California

Re: CVE-2021-4034 (pwnkit)

Post by hawaiian717 » 2022/01/26 20:09:06

I see the polkit update now available for CentOS 7.

ssickelmann2
Posts: 1
Joined: 2022/01/26 19:17:06

Re: CVE-2021-4034 (pwnkit)

Post by ssickelmann2 » 2022/01/27 06:54:49

@hawaiian717:

Unfortunatly i cannot find any update for polkit. Where did you see it?

http://mirror.centos.org/centos/7/os/x86_64/Packages/

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2021-4034 (pwnkit)

Post by TrevorH » 2022/01/27 10:34:23

Your url is pointing to /os/ and updates do not go into /os/, they go into /updates/. And you should not need to use the URL directly anyway, just yum update
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: CVE-2021-4034 (pwnkit)

Post by jlehtone » 2022/01/27 12:43:00

Yum does cache some repository metadata and therefore can occasionally be a bit "out of touch". Flushing caches helps in that:

Code: Select all

yum clean all
yum update
(The 'clean' could be more specific than 'all', but I've never bothered to read the whole manual ...)

Personally, I did multiple machines simultaneously with:

Code: Select all

ansible all --become -m yum -a 'state=latest update_cache=yes name=*'

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2021-4034 (pwnkit)

Post by TrevorH » 2022/01/27 15:59:28

CentOS 8 with dnf now allows a yum update --refresh so you can skip the clean all step. It does not work on CentOS 7.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

unimage
Posts: 1
Joined: 2022/01/27 18:32:06

Re: CVE-2021-4034 (pwnkit)

Post by unimage » 2022/01/27 18:34:38

So is the mitigation to simply install polkit-0.112-26.el7_9.1.src.rpm?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2021-4034 (pwnkit)

Post by TrevorH » 2022/01/27 18:37:25

The fixed version is polkit-0.112-26.el7_9.1.x86_64 and it does not require a reboot to take effect.

If there was no fixed package then there's a systemtap mitigation for the exploit listed on the Red Hat info page about this.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply