CentOS Stream 8 CVE 2021-33909 update?

Support for security such as Firewalls and securing linux
Post Reply
victor8
Posts: 4
Joined: 2021/07/28 18:02:38

CentOS Stream 8 CVE 2021-33909 update?

Post by victor8 » 2021/07/28 18:53:17

Hello,

Information on CVE 2021-33909 was published on Red Hat's site on July 21st, here: https://access.redhat.com/security/cve/cve-2021-33909

Updates for CentOS 7 followed shortly thereafter.

However, it doesn't appear that there's an update available yet for this CVE for CentOS Stream 8. The latest kernel on CenOS Stream 8 that I can see is from June 28th (kernel-4.18.0-315.el8.x86_64).

At the same time, there have been other packages released for CentOS Stream 8 in the last week since the CVE was announced - just not a fix for the CVE.

So, I have a few questions:

1. What is the security updates policy for CentOS Stream 8, and are there any notifications available or planned? The official page doesn't directly include information on security updates (https://www.centos.org/centos-stream/), and I haven't yet been able to track down any other location that has that information.

2. Does anyone have an idea for when an update for CVE 2021-33909 will come out for CentOS Stream 8?

I have searched for these things but not found them - I apologize if I've missed some link, conversation, or other information that's obvious to other people regarding them! If I did, please point me in the right direction.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: CentOS Stream 8 CVE 2021-33909 update?

Post by jlehtone » 2021/07/28 21:59:09

The Stream repo seems to have:

Code: Select all

kernel-4.18.0-305.3.1.el8.x86_64.rpm	2021-06-01 19:08
kernel-4.18.0-305.7.1.el8_4.x86_64.rpm	2021-06-29 23:29
kernel-4.18.0-305.10.2.el8_4.x86_64.rpm	2021-07-20 19:12
kernel-4.18.0-310.el8.x86_64.rpm	2021-06-08 03:06
kernel-4.18.0-315.el8.x86_64.rpm	2021-06-28 20:45
Note, how 4.18.0-305.7.1 and 4.18.0-305.10.2 are more recent than the 4.18.0-315. I have no idea what that means.

victor8
Posts: 4
Joined: 2021/07/28 18:02:38

Re: CentOS Stream 8 CVE 2021-33909 update?

Post by victor8 » 2021/07/29 01:29:47

Those two kernels: 4.18.0-305.7.1 and 4.18.0-305.10.2 were uploaded more recently than 4.18.0-315, but if 4.18.0-315 is already on the system, an update doesn't install either one of them (at least for me!)

Further information:

(1) 4.18.0-305.7.1 has a build date of Tue 29 Jun 2021 03:11:57 PM PDT, which is well before the CVE came out.

(2) 4.18.0-305.10.2 has a build date of Tue 20 Jul 2021 10:44:04 AM PDT, which is promising since it's the day that Red Hat's updates were released. However, the version number is older than 4.18.0-315, so 4.18.0-305.10.2 doesn't get installed.

I suppose I could try to dissect the contents of the RPM package for the 4.18.0-305.10.2 version to see if that has a fix for the CVE, then force that kernel to boot instead of 4.18.0-315 if it does. But that seems a bit odd to do on production-ish systems.... maybe the versioning on the intended fix is off?

Is there any other forum/list where it might be useful to bring this up? Say, CentOS-devel since it may be a package versioning issue?

victor8
Posts: 4
Joined: 2021/07/28 18:02:38

Re: CentOS Stream 8 CVE 2021-33909 update?

Post by victor8 » 2021/07/29 03:17:44

OK, digging further, here's the commits to the kernel package source:

https://git.centos.org/rpms/kernel/commits/c8s

The second oldest commit which matches an import of a kernel version is this:
https://git.centos.org/rpms/kernel/c/39 ... branch=c8s

with a commit message of "import kernel-4.18.0-315.el8". And that's the latest kernel version which gets installed if someone did an update before the CVE came out.

The newest commit is this, from seven hours ago now:
https://git.centos.org/rpms/kernel/c/01 ... branch=c8s
with the commit message "import kernel-4.18.0-326.el8".

In the source for the commit, there's this line:
seq_file: Disallow extremely large seq buffer allocations (Ian Kent) [1975182]

... which matches the phrasing for the kernel.org commit addressing the CVE here:
https://git.kernel.org/pub/scm/linux/ke ... c8ba9cf53b

So, hopefully that package will be built and available soon!

It isn't clear to me where 4.18.0-305.7.1 and 4.18.0-305.10 fit into the picture, but at least a fix for the issue appears to be on the way.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CentOS Stream 8 CVE 2021-33909 update?

Post by TrevorH » 2021/07/29 04:29:18

It isn't clear to me where 4.18.0-305.7.1 and 4.18.0-305.10 fit into the picture, but at least a fix for the issue appears to be on the way.
Do you also have CentOS Linux 8 repos installed and enabled? Those are the latest kernels for CentOS "Classic" 8.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

victor8
Posts: 4
Joined: 2021/07/28 18:02:38

Re: CentOS Stream 8 CVE 2021-33909 update?

Post by victor8 » 2021/07/29 05:08:17

TrevorH wrote:
2021/07/29 04:29:18
It isn't clear to me where 4.18.0-305.7.1 and 4.18.0-305.10 fit into the picture, but at least a fix for the issue appears to be on the way.
Do you also have CentOS Linux 8 repos installed and enabled? Those are the latest kernels for CentOS "Classic" 8.
Thanks, that does help understand where they are from.

I don't have the CentOS Linux 8 repos installed and enabled . Rather, those two package versions were mentioned as being present in the CenOS Stream repo earlier in the thread. And they are there as well as the packages that match the CentOS Stream 8 git repo commits. The exact URL to the directory in the repo that contains all of the (built and released) packages mentioned in this thread is here: http://mirror.centos.org/centos/8-strea ... /Packages/, in case there might otherwise be some ambiguity.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: CentOS Stream 8 CVE 2021-33909 update?

Post by jlehtone » 2021/07/29 06:43:23

I don't have Stream; did get the list of kernels by browsing that repo URL. Should have mentioned that "Classic" has 4.18.0-305.10.2. I just have no idea why a copy is in Stream directory too.


When Red Hat "shifted focus of CentOS Project", there were explanations of how things will be.
  • The usual flow is that a package is released to Stream first and might be in next RHEL point release. Stream has 4.18.0-310, 4.18.0-315, and soon 4.18.0-326. It is now obvious that the 310 and 315 will never be in RHEL.
  • Security patches are an exception. Red Hat's first priority are official releases (RHEL 8.4, RHEL 7.9, ...). RHEL 8.4 has the 305-branch of kernel. CentOS Stream has something different. There is less reason to quickly patch, since the Stream is in constant flux (until a feature freeze towards RHEL 8.5 occurs?). Remember, "CentOS is not for production".

Post Reply