Hello,
Information on CVE 2021-33909 was published on Red Hat's site on July 21st, here: https://access.redhat.com/security/cve/cve-2021-33909
Updates for CentOS 7 followed shortly thereafter.
However, it doesn't appear that there's an update available yet for this CVE for CentOS Stream 8. The latest kernel on CenOS Stream 8 that I can see is from June 28th (kernel-4.18.0-315.el8.x86_64).
At the same time, there have been other packages released for CentOS Stream 8 in the last week since the CVE was announced - just not a fix for the CVE.
So, I have a few questions:
1. What is the security updates policy for CentOS Stream 8, and are there any notifications available or planned? The official page doesn't directly include information on security updates (https://www.centos.org/centos-stream/), and I haven't yet been able to track down any other location that has that information.
2. Does anyone have an idea for when an update for CVE 2021-33909 will come out for CentOS Stream 8?
I have searched for these things but not found them - I apologize if I've missed some link, conversation, or other information that's obvious to other people regarding them! If I did, please point me in the right direction.
CentOS Stream 8 CVE 2021-33909 update?
Re: CentOS Stream 8 CVE 2021-33909 update?
The Stream repo seems to have:
Note, how 4.18.0-305.7.1 and 4.18.0-305.10.2 are more recent than the 4.18.0-315. I have no idea what that means.
Code: Select all
kernel-4.18.0-305.3.1.el8.x86_64.rpm 2021-06-01 19:08
kernel-4.18.0-305.7.1.el8_4.x86_64.rpm 2021-06-29 23:29
kernel-4.18.0-305.10.2.el8_4.x86_64.rpm 2021-07-20 19:12
kernel-4.18.0-310.el8.x86_64.rpm 2021-06-08 03:06
kernel-4.18.0-315.el8.x86_64.rpm 2021-06-28 20:45
Re: CentOS Stream 8 CVE 2021-33909 update?
Those two kernels: 4.18.0-305.7.1 and 4.18.0-305.10.2 were uploaded more recently than 4.18.0-315, but if 4.18.0-315 is already on the system, an update doesn't install either one of them (at least for me!)
Further information:
(1) 4.18.0-305.7.1 has a build date of Tue 29 Jun 2021 03:11:57 PM PDT, which is well before the CVE came out.
(2) 4.18.0-305.10.2 has a build date of Tue 20 Jul 2021 10:44:04 AM PDT, which is promising since it's the day that Red Hat's updates were released. However, the version number is older than 4.18.0-315, so 4.18.0-305.10.2 doesn't get installed.
I suppose I could try to dissect the contents of the RPM package for the 4.18.0-305.10.2 version to see if that has a fix for the CVE, then force that kernel to boot instead of 4.18.0-315 if it does. But that seems a bit odd to do on production-ish systems.... maybe the versioning on the intended fix is off?
Is there any other forum/list where it might be useful to bring this up? Say, CentOS-devel since it may be a package versioning issue?
Further information:
(1) 4.18.0-305.7.1 has a build date of Tue 29 Jun 2021 03:11:57 PM PDT, which is well before the CVE came out.
(2) 4.18.0-305.10.2 has a build date of Tue 20 Jul 2021 10:44:04 AM PDT, which is promising since it's the day that Red Hat's updates were released. However, the version number is older than 4.18.0-315, so 4.18.0-305.10.2 doesn't get installed.
I suppose I could try to dissect the contents of the RPM package for the 4.18.0-305.10.2 version to see if that has a fix for the CVE, then force that kernel to boot instead of 4.18.0-315 if it does. But that seems a bit odd to do on production-ish systems.... maybe the versioning on the intended fix is off?
Is there any other forum/list where it might be useful to bring this up? Say, CentOS-devel since it may be a package versioning issue?
Re: CentOS Stream 8 CVE 2021-33909 update?
OK, digging further, here's the commits to the kernel package source:
https://git.centos.org/rpms/kernel/commits/c8s
The second oldest commit which matches an import of a kernel version is this:
https://git.centos.org/rpms/kernel/c/39 ... branch=c8s
with a commit message of "import kernel-4.18.0-315.el8". And that's the latest kernel version which gets installed if someone did an update before the CVE came out.
The newest commit is this, from seven hours ago now:
https://git.centos.org/rpms/kernel/c/01 ... branch=c8s
with the commit message "import kernel-4.18.0-326.el8".
In the source for the commit, there's this line:
seq_file: Disallow extremely large seq buffer allocations (Ian Kent) [1975182]
... which matches the phrasing for the kernel.org commit addressing the CVE here:
https://git.kernel.org/pub/scm/linux/ke ... c8ba9cf53b
So, hopefully that package will be built and available soon!
It isn't clear to me where 4.18.0-305.7.1 and 4.18.0-305.10 fit into the picture, but at least a fix for the issue appears to be on the way.
https://git.centos.org/rpms/kernel/commits/c8s
The second oldest commit which matches an import of a kernel version is this:
https://git.centos.org/rpms/kernel/c/39 ... branch=c8s
with a commit message of "import kernel-4.18.0-315.el8". And that's the latest kernel version which gets installed if someone did an update before the CVE came out.
The newest commit is this, from seven hours ago now:
https://git.centos.org/rpms/kernel/c/01 ... branch=c8s
with the commit message "import kernel-4.18.0-326.el8".
In the source for the commit, there's this line:
seq_file: Disallow extremely large seq buffer allocations (Ian Kent) [1975182]
... which matches the phrasing for the kernel.org commit addressing the CVE here:
https://git.kernel.org/pub/scm/linux/ke ... c8ba9cf53b
So, hopefully that package will be built and available soon!
It isn't clear to me where 4.18.0-305.7.1 and 4.18.0-305.10 fit into the picture, but at least a fix for the issue appears to be on the way.
Re: CentOS Stream 8 CVE 2021-33909 update?
Do you also have CentOS Linux 8 repos installed and enabled? Those are the latest kernels for CentOS "Classic" 8.It isn't clear to me where 4.18.0-305.7.1 and 4.18.0-305.10 fit into the picture, but at least a fix for the issue appears to be on the way.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: CentOS Stream 8 CVE 2021-33909 update?
Thanks, that does help understand where they are from.
I don't have the CentOS Linux 8 repos installed and enabled . Rather, those two package versions were mentioned as being present in the CenOS Stream repo earlier in the thread. And they are there as well as the packages that match the CentOS Stream 8 git repo commits. The exact URL to the directory in the repo that contains all of the (built and released) packages mentioned in this thread is here: http://mirror.centos.org/centos/8-strea ... /Packages/, in case there might otherwise be some ambiguity.
Re: CentOS Stream 8 CVE 2021-33909 update?
I don't have Stream; did get the list of kernels by browsing that repo URL. Should have mentioned that "Classic" has 4.18.0-305.10.2. I just have no idea why a copy is in Stream directory too.
When Red Hat "shifted focus of CentOS Project", there were explanations of how things will be.
When Red Hat "shifted focus of CentOS Project", there were explanations of how things will be.
- The usual flow is that a package is released to Stream first and might be in next RHEL point release. Stream has 4.18.0-310, 4.18.0-315, and soon 4.18.0-326. It is now obvious that the 310 and 315 will never be in RHEL.
- Security patches are an exception. Red Hat's first priority are official releases (RHEL 8.4, RHEL 7.9, ...). RHEL 8.4 has the 305-branch of kernel. CentOS Stream has something different. There is less reason to quickly patch, since the Stream is in constant flux (until a feature freeze towards RHEL 8.5 occurs?). Remember, "CentOS is not for production".