[SATLUG] unthreaded VMware kernel fun

Al Castanoli afcasta at satx.rr.com
Tue Jun 24 15:01:42 CDT 2008


On Sun, 2008-06-22 at 20:03 -0500, Daniel J. Givens wrote:
> On Sun, 22 Jun 2008 17:37:09 -0500
> Al Castanoli <afcasta at satx.rr.com> wrote:
> 
> > On Sun, 2008-06-22 at 15:55 -0500, John D Choate wrote:
> > > After 5.5 years of using Linux (Mandrake/Mandriva), I have never
> > > compiled a kernel. I know it would be a good learning experience
> > > for me, but I've never found any other reason for doing it.
> > 
> > There's a vulnerability message out on kernels below 2.5.25.6 that
> > requires some of us who maintain government computers to do a kernel
> > upgrade.  None of my RHEL or Scientific Linux servers have an .rpm
> > package high enough so I rolled one from scratch using 2.5.25.7 from
> > kernel.org and it went pretty well.
> 
> First, let me say that this really should have been a new topic
> altogether, not a reply to an existing thread. Yes, I use a threaded
> email client (Claws Mail) and there are certain threads I just don't
> follow. It was only by chance that I read this one.

It's a bad habit from years of reading alt.folklore.computers and
alt.sysadmin.recovery.  Apologies.

> I assume you're talking about the 2.6 kernels, not 2.5 since those were
> development releases. 

Yes, I tossed in a typo.  I got it right in the original subject, but
wrong in the text of the message. The kernels I'm unable to use with
VMware are the two most recent - 2.6.25.7 and 2.6.25.8.

> Red Hat, along with most other distribution
> makers, have a policy of backporting bug fixes. You should read the
> article on this at the Red Hat site.
> 
> http://www.redhat.com/security/updates/backporting/
> 
> You will find that your update notifications from any government entity
> will reference a CVE number. 
> 
> http://cve.mitre.org/
> 
> Red Hat (and most others) will give you the CVE that an update
> addresses for compliance tracking purposes. You can find a list of the
> Red Hat update advisories by product at:
> 
> https://rhn.redhat.com/errata/
> 
> You can click on the link for the version you have.

I appreciate the pointer, but the errata pages don't address this
vulnerability.

> Also, having been an ISSO (information system security officer) prior
> to getting out of the AF, I know that the compliance date on those is
> typically long enough that the software makers can get an update out
> there for you. With that considered, If this is for CVE 2008-2750, it
> was only released a few days ago, so give Red Hat a chance to get an
> updated kernel package out there and don't freak out. 

With the Oracle CPUs coming out again next month, I don't have the
luxury of waiting for vendor support.  I was an ISSO when I retired from
the military, too, and am used to freaking out.  The IA staff I report
to expect compliance within a week of these messages, regardless of what
dates are given on the vulnerability messages.  That said, it took me
three years to get permission to run Linux, and I don't want to give the
Windowphiles any ammunition.

> > Now that my server's compliant with information assurance
> > requirements, VMware won't run on it, and that's what it was for.
> > Since nobody can use it now, it should be really secure.  I tried
> > vmware-any-any-115.tgz, but even that did't work.
> 
> There are newer versions out there.
> 
> http://groups.google.com/group/vmkernelnewbies/browse_thread/thread/b57361dd2b47521c

Thanks - I tried up through update-117b and none of those worked,
either.  I guess I'll just have to wait.

Al Castanoli



More information about the SATLUG mailing list