[Users] New kernel vuln...

Konstantin Khorenko khorenko at parallels.com
Wed Aug 19 09:36:11 EDT 2009 

Hi Scott,

> How about the latest RHEL4-based OpenVZ kernel?  Is it vulnerable?
No, it is not vulnerable simply because all vulnerable protocols are absent in the kernel (switched off in our configs).

> Are there any other advantages to the current RHEL5 kernel vs. the current RHEL4 kernel?
Well, quite a difficult question.
On the other hand - 2.6.18-x kernels are just newer, contain some improvements, in particular in performance. Not giant but still.
Some new useful features like kexec/kdump - for debugging.
As you've already noted - just updates for 2.6.18-x are released more often.

On the other hand - if you have a stable node and do not suffer from any problem - i'd just leave it as is.

--
Konstantin


On 08/18/2009 07:33 PM, Scott Dowdle wrote:
> Konstantin (or Kir),
> 
> ----- "Konstantin Khorenko" <khorenko at openvz.org> wrote:
>> just wanted to share the info:
>> i checked this issue and found that 2.6.18-128.2.1.el5.028stab064.4
>> kernel (latest OVZ) is immune to the exploits on the issue described
>> at http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html
>> Exploits do not work both inside a Container and on a Hardware Node.
> 
> That IS good to know.  Thanks for the information.  All of my OpenVZ boxes are running the latest RHEL5 kernel so those are good.
> 
> How about the latest RHEL4-based OpenVZ kernel?  Is it vulnerable?  And if so, should we expect an update for that real soon now?  I still have one CentOS4-based box running the latest RHEL4-based kernel (ovzkernel-smp-2.6.9-023stab048.6).
> 
> I've heard that one can run a RHEL5 kernel on a RHEL4 host node but I haven't tried it.  The machine in question I'm a little more weary of trying new things with because it is a remote machine I don't have physical access to and I want to avoid excessive downtime... but if there are a lot of RHEL4/CentOS4 host node users running the RHEL5 kernel, I'll consider switching... although on the OpenVZ kernel download page (http://wiki.openvz.org/Download/kernel) says the RHEL4 kernek is "Super stable" and the RHEL5 kernel is "Stable". :)
> 
> If the RHEL4-based kernel is vulnerable (which I'm not sure about yet) and the RHEL5 kernel isn't then that would be one advantage.  Are there any other advantages to the current RHEL5 kernel vs. the current RHEL4 kernel?
> 
> Thanks,

More information about the Users mailing list