Skip to main content

KernelCare's Free Patch Set

Comments

7 comments

  • cPanelLauren
    Hi @Nirjonadda Can you please run the following via SSH on your server? kcarectl --patch-info
    uname -r
    And let me know the output
    0
  • Nirjonadda
    This is output. [root@nr ~]# kcarectl --patch-info OS: centos7 kernel: kernel-3.10.0-862.3.2.el7 time: 2018-05-28 18:44:24 kpatch-name: 3.10.0/proc-restrict-pagemap-access.patch kpatch-description: Restrict access to pagemap/kpageflags/kpagecount kpatch-kernel: kpatch-cve: kpatch-cvss: kpatch-cve-url: http://googleprojectzero.blogspot.ru/2015/03/exploiting-dram-rowhammer-bug-to-gain.html kpatch-patch-url: uname: 3.10.0-862.3.2.el7 [root@nr ~]# uname -r 3.10.0-862.3.2.el7.x86_64 [root@nr ~]#
    0
  • cPanelLauren
    Hi @Nirjonadda It doesn't look like you have the patch installed. The patch should provide output like the following: [root@server mailboxes]# kcarectl --patch-info OS: centos7 kernel: kernel-3.10.0-862.2.3.el7 time: 2018-05-28 18:44:24 kpatch-name: 3.10.0/symlink-protection-ge-862.patch kpatch-description: symlink protection kpatch-kernel: kernel-3.10.0-514.el7 kpatch-cve: N/A kpatch-cvss: N/A kpatch-cve-url: N/A kpatch-patch-url: https://gerrit.cloudlinux.com/#/admin/projects/lve-kernel-el7 kpatch-name: 3.10.0/symlink-protection-ge-862.kpatch-1.patch kpatch-description: symlink protection (kpatch adaptation) kpatch-kernel: kernel-3.10.0-514.el7 kpatch-cve: N/A kpatch-cvss: N/A kpatch-cve-url: N/A kpatch-patch-url: https://gerrit.cloudlinux.com/#/admin/projects/lve-kernel-el7
    The output you have is indicating a different patch
    0
  • Nirjonadda
    It doesn't look like you have the patch installed.

    Yes I have installed from Security Advisor but Its no more working after new kernel version update. Also why Security Advisor not showing patch install?
    0
  • cPanelLauren
    Hi @Nirjonadda I'm unsure as to why the patch is no longer installed. But it's not just showing that in security advisor, it's also not present on the server according to KernelCare as well. Can you run the following to enable to symlink protection manually: kcarectl --set-patch-type free --update
    Then to ensure that it's set to have the patch: kcarectl -i
    It should output something like: # kcarectl -i kpatch-state: patch is applied kpatch-for: Linux version 3.10.0-862.2.3.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) ) #1 SMP Wed May 9 18:05:47 UTC 2018 kpatch-build-time: Mon May 21 09:16:44 2018 kpatch-description: 2-free;
    0
  • Nirjonadda
    Can you run the following to enable to symlink protection manually:

    KernelCare's Free Patch already installed? [root@nr ~]# kcarectl --set-patch-type free --update 'free' patch type selected Downloading updates Patch Level 2 applied, effective kernel version Updates already downloaded Kernel is safe [root@nr ~]#
    This output. [root@nr ~]# kcarectl -i kpatch-state: patch is applied kpatch-for: Linux version 3.10.0-862.3.2.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) ) #1 SMP Mon May 21 23:36:36 UTC 2018 kpatch-build-time: Wed May 23 18:36:35 2018 kpatch-description: 2-free; [root@nr ~]#
    [root@nr ~]# kcarectl --patch-info OS: centos7 kernel: kernel-3.10.0-862.3.2.el7 time: 2018-05-28 18:44:24 kpatch-name: 3.10.0/symlink-protection-ge-862.patch kpatch-description: symlink protection kpatch-kernel: kernel-3.10.0-514.el7 kpatch-cve: N/A kpatch-cvss: N/A kpatch-cve-url: N/A kpatch-patch-url: https://gerrit.cloudlinux.com/#/admin/projects/lve-kernel-el7 kpatch-name: 3.10.0/symlink-protection-ge-862.kpatch-1.patch kpatch-description: symlink protection (kpatch adaptation) kpatch-kernel: kernel-3.10.0-514.el7 kpatch-cve: N/A kpatch-cvss: N/A kpatch-cve-url: N/A kpatch-patch-url: https://gerrit.cloudlinux.com/#/admin/projects/lve-kernel-el7 [root@nr ~]#
    So why KernelCare's Free Patch Set no more working after new kernel version update?
    0
  • cPanelLauren
    Hi @Nirjonadda It looks like somehow the patch was removed in your case, I can't tell you specifically how it was removed, but it was definitely not present on the server. We can see now though that it's been readded.
    0

Please sign in to leave a comment.