cPKernel Updates
Yes, it's maintained and updated in a similar fashion to the stock kernel.
As of today, with the newest kernel from Redhat/CentOS, the "cPanel maintained" kernel is currently out of date. FYI.
-
Hello @yatesf, Could you let us know which specific CentOS version you are using and the specific kernel update you are referring to in this particular case? Keep in mind the cPanel-provided kernel is only available for CentOS 6 64-bit systems at this time. Thank you. 0 -
I downloaded the cpanel kernel 10 days ago but yesterday my system got reverted back to the stock kernel after an update. what caused this? I also read yesterday a post by someone at the current thread (which got removed I suppose because I can no longer see it) that the cpanel kernel is out of date? Please advise what to do. 0 -
Hello @EneTar, Please post the output from the following commands so we can get a better idea about your system's environment: cat /etc/redhat-release uname -r rpm -qa|grep kernel cat /var/cpanel/envtype
Thank you.0 -
Hi Michael here is my info [~]# cat /etc/redhat-release CentOS release 6.8 (Final) [~]# uname -r 2.6.32-642.11.1.el6.x86_64 [~]# rpm -qa|grep kernel kernel-devel-2.6.32-642.4.2.el6.x86_64 kernel-devel-2.6.32-642.6.2.el6.x86_64 dracut-kernel-004-409.el6_8.2.noarch kernel-headers-2.6.32-642.11.1.el6.x86_64 kernel-devel-2.6.32-642.6.1.el6.x86_64 kernel-firmware-2.6.32-642.11.1.el6.noarch kernel-2.6.32-642.6.199.2.cpanel6.x86_64 kernel-2.6.32-642.6.2.el6.x86_64 kernel-2.6.32-642.6.1.el6.x86_64 kernel-2.6.32-642.11.1.el6.x86_64 kernel-devel-2.6.32-642.6.199.2.cpanel6.x86_64 kernel-devel-2.6.32-642.11.1.el6.x86_64 kernel-2.6.32-642.4.2.el6.x86_64 [~]# cat /var/cpanel/envtype kvm [~]# yum repolist Loaded plugins: fastestmirror, tsflags, universal-hooks Loading mirror speeds from cached hostfile * EA4: 204.10.37.146 * base: mirror.spro.net * extras: mirrors.sonic.net * updates: centos.mirrors.tds.net repo id repo name status EA4 EA4 ( EasyApache 4 ) 20,487 MariaDB101 MariaDB101 17 base CentOS-6 - Base 6,634+62 cPkernel cPanel Kernel 65 epel Extra Packages for Enterprise Linux 6 - x86_64 11,380+746 extras CentOS-6 - Extras 62 hgdedi HG Monitoring Repo 155 ksplice-uptrack Ksplice Uptrack for CentOS 14 nginx nginx repo 129 ul UL 60 ul_hostgator UL_HostGator 8 updates CentOS-6 - Updates 622+48 repolist: 39,633
Please let me know if you anything that shouldn't be in there0 -
I think what the OP is saying is that CentOS released a 2.6.32-642.11.1.el6 kernel on November 19th and cPanel hasn't yet updated their cPKernel. 5 days later, cPanel still hasn't released an updated cPKernel to match this 2.6.32-642.11.1.el6 kernel. Or at least that I am aware of. The latest cPKernel kernel is 2.6.32-642.6.199.2.cpanel6? Which I am assuming matches the CentOS 2.6.32-642.6.2.el6 kernel? I know it's going to take some time for kernel updates to filter down. I don't know if 5 days is that unreasonable (although if this were a Dirty COW situation it might be different) but it certainly is a topic of discussion. The way I understand it, cPanel can't update their kernel until CentOS releases their kernel. CentOS can't release their kernel until Redhat releases their kernel. The more levels you have to this, the more delays you have. This is why people that use RHEL will always get a stock kernel update before CentOS users will. CentOS users will always get a stock kernel update before cPanel kernel users. 0 -
So if understand correctly this means that whenever CentOS releases a new kernel our system will automatically update to use the CentOS kernel because it is newer than the latest of cPanel until cPanel releases a few days later the new one which will replace again that of CentOS. 0 -
You probably want to wait and get someone from cPanel or someone with a bit better understand of yum repository construction involved in this discussion. I thought the cPkernel.repo used a cost parameter to weigh it's packages against CentOS packages, but I'm not seeing that. Perhaps that is something that cPanel needs to look into. Adding a parameter (I think this is the cost parameter, but I'm not sure) to the cPkernel.repo to weigh their kernel more than the distribution's kernel. I wouldn't recommend doing anything until someone with a bit better understanding of this chimes in. I'm just mentioning this as a potential topic of discussion. 0 -
I think what the OP is saying is that CentOS released a 2.6.32-642.11.1.el6 kernel on November 19th and cPanel hasn't yet updated their cPKernel.
Yes, that is exactly what I was saying. My original post was a reply in a different thread. My reply-post got edited of some relevant information and then made into it's own thread (ie. this one that we're reading now). The missing information from my original reply was a weblink URL that shows dated timestamp information that reflects the difference between the recently released "19 November" CentOS kernel and the outdated "26 October" cPanel maintained kernel below: Index of /cpanelsync/repos/CentOS/6/cPkernel/x86_64 This outdated cPanel kernel is the reason I am getting a new Security Advisor Warning about "Kernel symlink ownership attacks", the title of the thread that I originally replied to. As an additional FYI to this current thread (since the scope seems to be growing), the procedure to remedy this Security Advisor Warning can be accomplished by the instructions/documentation at this weblink URL below (pending that the cPanel maintained kernel is more recent than the Redhat/CentOS kernel that you updated to): How to Harden Your cPanel System's Kernel - cPanel Knowledge Base - cPanel DocumentationCould you let us know which specific CentOS version you are using and the specific kernel update you are referring to in this particular case?
Please post the output from the following commands so we can get a better idea about your system's environment:
cat /etc/redhat-release uname -r rpm -qa|grep kernel cat /var/cpanel/envtype
root@ds147 [~]# cat /etc/redhat-release CentOS release 6.8 (Final) root@ds147 [~]# uname -r 2.6.32-642.11.1.el6.x86_64 root@ds147 [~]# rpm -qa|grep kernel kernel-firmware-2.6.32-642.11.1.el6.noarch dracut-kernel-004-409.el6_8.2.noarch kernel-2.6.32-642.6.199.2.cpanel6.x86_64 kernel-headers-2.6.32-642.11.1.el6.x86_64 kernel-2.6.32-642.11.1.el6.x86_64 root@ds147 [~]# cat /var/cpanel/envtype standardroot@ds147 [~]#0 -
Hello, Internal case NO-885 is open to track the progress of the cPanel hardened kernel's update after the most recent update published by CentOS. We'll update this thread once the new kernel it's published and available for download. In addition, the issue where the cPanel hardened kernel is replaced when newer stock kernels when made available from CentOS has been reproduced and a resolution is planned in the near future. The internal case number is NO-871. I'll update this thread with more information on the status of this issue as it becomes available. Thank you. 0 -
Hello, Internal case NO-885 is open to track the progress of the cPanel hardened kernel's update after the most recent update published by CentOS. We'll update this thread once the new kernel it's published and available for download.
Thanks Michael. At the risk of making myself unpopular can we get an indication of what has caused the delay in this instance? While it's not a critical update I believe it was classed as important and per this thread is thus on many of our radars per update policy. Can I also ask if there is a mailing list for updates to cPkernel? Ideally (at least for me) an email would arrive when the update is ready as it does for stock CentOS via the centos announce list.0 -
Hello, To update, the issue where a newer stock kernel would overwrite the cPanel kernel was resolved and should no longer occur. Additional updates through YUM should update the kernel back to the cPanel-hardened kernel version on any systems that were affected. Additionally, the updated kernel was published on November 29th, 2016: Index of /cpanelsync/repos/CentOS/6/cPkernel/x86_64/Packages uname -r 2.6.32-642.11.199.cpanel6.x86_64
The build and release process for the cPanel-hardened kernel is not yet fully defined. I don't have a specific time frame to offer on any improvements at this time, but I'll update this thread to note any changes when the information becomes available. Thank you.0 -
Additionally, the updated kernel was published on November 29th, 2016: Index of /cpanelsync/repos/CentOS/6/cPkernel/x86_64/Packages
Just an FYI for the thread. CentOS 6 released another updated kernel today and the last "29 November 2016" cPanel-hardened kernel just now became out of date. This results in the attached error from cPanel Security Advisor. 44483 This error occurs despite the fact that I ran "yum update" to update the kernel. It only updated me to the latest stock CentOS kernel because the hardened cPanel kernel isn't available yet.0 -
Hello @yatesf, The updated cPanel hardened kernel was published shortly after your response on 2017-01-13. Thank you. 0
Please sign in to leave a comment.
Comments
13 comments