Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: Hilton Travis on January 06, 2004, 10:39:40 AM

Title: SME Kernel Vulnerabilities
Post by: Hilton Travis on January 06, 2004, 10:39:40 AM

Hi All,

Since the release of the latest SME 5.6 Updates and the SME 6.0 final release there have been vulnerabilities found in the kernel.  I am wondering when Mitel is going to be releasing updates to the kernels in these Mitel releases.

My e-smith box is behind a firewall, but the number of boxes out there acting as a firewall and file server would make these vulnerabilities a possibly critical threat to the security of these boxes/networks.

Alternatively (and preferably), if the .config file for the default kernel and a list of any modifications to the standard kernel source was published, it would make it easy for your users to patch their systems while they are waiting for an official release from Mitel.

Regards,
HiltonT

Title: Re: SME Kernel Vulnerabilities
Post by: Charlie Brady on January 06, 2004, 05:44:25 PM

Hilton Travis wrote:

> Since the release of the latest SME 5.6 Updates and the SME
> 6.0 final release there have been vulnerabilities found in the
> kernel.

All of those vulnerabilites are only exploitable by local users who are permitted to run arbitrary programs. The SME server configuration has only one such user (root - i.e. you).

> I am wondering when Mitel is going to be releasing
> updates to the kernels in these Mitel releases.

Mitel has never built their own kernels, but has always used RedHat RPMs unmodified.

> My e-smith box is behind a firewall, but the number of boxes
> out there acting as a firewall and file server would make these
> vulnerabilities a possibly critical threat to the security of
> these boxes/networks.

The existance or otherwise of a separate firewall is very unlikely to be an issue - it would only be an issue if there were remotely exploitable vulnerabilities in netfilter.

> Alternatively (and preferably), if the .config file for the
> default kernel and a list of any modifications to the standard
> kernel source was published, ...

It is, in the source RPM for the kernel, available from multiple mirror sites. All SME server source code is, and always has been, published, in source RPM form.

Regards

Charlie

Title: Re: SME Kernel Vulnerabilities
Post by: Anonymous on January 06, 2004, 07:40:27 PM

If I want to upgrade my kernel anyway, can I upgrade it ? Any potential trouble ?

Title: Re: SME Kernel Vulnerabilities
Post by: Hilton Travis on January 07, 2004, 10:21:25 AM

Hi,

You can try.  I tried a number of times, and a number of ways.  All went BANG! to some degree, and ALL resulted in a non-working SME once booting into the new kernel.

At least you can boot back into the original kernel thanks to our old friend lilo!  :)

Regards,
HiltonT