Share this post:
Responses (9)
-
Accepted Answer
I have released updates for the Community and they should now be available in the overnight updates or you can do a manual "yum update".
For paid users I was going to wait a couple of days, just in case there are issues with some of the updates (we normally wait a week). There should not ba any issues and I have been running with them since they were released, so for PwnKit, since just before my contract was terminated. If any paid users want to jump the gun, just do a:
It should be safe.yum update --enablerepo=clearos-centos-updates,clearos-epel
-
Accepted Answer
Von Royce Wallace wrote:
The mitigation
For Pwnkit is
chmod 0755 /usr/bin/pkexec
Sort of a bandaid util you get the patches (if they ever come)
I have no idea what the collateral damage of that mitigation is. The webconfig makes extensive use of sudo.
The other two cve do not seem to apply first one module is not loaded
I am not so sure. See /etc/httpd/conf.modules.d/00-lua.conf
Second samba does not have the entry in smb.conf
I tend to agree as we don't use vfs_fruit in Flexshares, but we should patch anyway in case any users manually configure their samba shares (like I do for some of mine, but, even then, I don't use vfs_fruit). -
Accepted Answer
Nick Howitt wrote:
Sad, but, as well as that, there are now 2 unpatched CVE's which Redhat have rated Critical:
CVE-2021-44790 - somewhere in apache/httpd
CVE-2021-44142 - samba
PwnKit (CVE-2021-4034) is not classed as critical by Redhat, just Important and there are a number of other CVE's classified as Important with a higher score than PwnKit which are also needing patches.
It seems that Clearcenter have made an edict about the terms they now want to apply to their staff and the edict is more important than their customers.
The mitigation
For Pwnkit is
chmod 0755 /usr/bin/pkexec
Sort of a bandaid util you get the patches (if they ever come)
The other two cve do not seem to apply first one module is not loaded
Second samba does not have the entry in smb.conf -
Accepted Answer
Sad, but, as well as that, there are now 2 unpatched CVE's which Redhat have rated Critical:
CVE-2021-44790 - somewhere in apache/httpd
CVE-2021-44142 - samba
PwnKit (CVE-2021-4034) is not classed as critical by Redhat, just Important and there are a number of other CVE's classified as Important with a higher score than PwnKit which are also needing patches.
It seems that Clearcenter have made an edict about the terms they now want to apply to their staff and the edict is more important than their customers. -
Accepted Answer
Man Nick this forum support is built on your expertise. Its why I paid the money for it because I knew someone would be there to point me in the right direction if I asked. You have been instrumental in me setting up my website, sql, email etc.
Now the future is very unclear as they must move on to something else for their linux platform and there is no one to support it like you did, wow...
I am going to have to start looking around at other options. Now that it's vulnerable!
I thought you did a hell of a job, always on point and responsive.
If they wish to jump the hurdle for the next OS, they will need you or someone like you rowing the boat.
I wish you the best.
I have worried about the future of clearos for some time with the CentOs changes, I did find that info that the CEO posted reassuring, however; where the rubber meets the road I have my doubts now. -
Accepted Answer
-
Accepted Answer
Nick,
OH NO! First it sucks that another vulnerability exists, but luckily it is found but more importantly we (I), don't want to see you disappear!!! I am hoping that things will work out as you have been more than great helping us on this forum, fixing stuff, preparing updates and everything!
PLEASE keep us posted.
John -
Accepted Answer
I can confirm that ClearOS is vulnerable to this exploit. I was going to release the fix today on the normal update day but unfortunately Clearcenter have terminated my contract when I was unable to accept their revised terms. I now no longer work for them and have no idea when they plan to issue the update or who they even have in mind to do the ClearOS release maintenance. Until the fix is released, ClearOS will remain vulnerable.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »