Another thing to consider, if you have a Management Node with the Bash
vulnerability, you probably have that level of bash in your images that
were built on the MN and they have the vulnerability.
To fix the images, there a few options
For diskless images, you can chroot or use xdsh -i and apply the
patch directly to the image. Run packimage and reboot.
For statefull installs, if you have a patched Bash rpm, you could
add it to otherpkgs pkglist. If it is a version later than the base
Bash rpm, this will update bash on the install with the patched
Bash level. You can even use updatenode to update it immediately
on all your statefull nodes. This also works for stateless nodes,
but you may prefer to have your stateless images correct.
If only a patch is available, then setup to sync the patch to the
node and create a postscript to install the patch. If you add the
syncfile to the image synclist and postscript to the postscript
list, then either install, netboot or updatenode will fix things for
you.
Good Docs:
http://sourceforge.net/p/xcat/wiki/Using_Updatenode/
http://sourceforge.net/p/xcat/wiki/Postscripts_and_Prescripts/
There are probably other good suggestions from our user community.
Lissa K. Valletta
8-3/B10
Poughkeepsie, NY 12601
(tie 293) 433-3102
From: Lissa Valletta/Poughkeepsie/IBM@IBMUS
To: xCAT Users Mailing list <[email protected]>
Date: 10/01/2014 10:53 AM
Subject: Re: [xcat-user] Bash vulnerabilities (CVE-2014-6271,
CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and
CVE-2014-6278)
You have a very good point; thanks for pointing this out. We will have to
discuss in development how to fix this. Fortunately the use of the
kernel is short-lived only for discovery, install, etc. This does not
impact a running MN or running compute nodes.
Lissa K. Valletta
8-3/B10
Poughkeepsie, NY 12601
(tie 293) 433-3102
Inactive hide details for Mark Loveridge ---10/01/2014 10:07:26
AM---Schlumberger-Private ________________________________Mark Loveridge
---10/01/2014 10:07:26 AM---Schlumberger-Private
________________________________
From: Mark Loveridge <[email protected]>
To: xCAT Users Mailing list <[email protected]>
Date: 10/01/2014 10:07 AM
Subject: Re: [xcat-user] Bash vulnerabilities (CVE-2014-6271,
CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and
CVE-2014-6278)
Schlumberger-Private
The version of bash in the genesis kernel is potentially vulnerable –
though it probably isn’t exploitable in the out-of-the-box configuration.
Are there any plans to update the genesis image?
I for one will be replacing the genesis version of bash with a patched
version so that I feel more comfortable (and keep my managers happy).
Mark
From: Lissa Valletta [mailto:[email protected]]
Sent: 30 September 2014 12:27
To: xCAT Users Mailing list
Subject: [xcat-user] Bash vulnerabilities (CVE-2014-6271, CVE-2014-7169,
CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278)
Title: Extreme Cloud Administration Toolkit (xCAT) is not affected by the
Bash vulnerabilities (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186,
CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278)
Flash (Alert)
Abstract
Extreme Cloud Administration Toolkit (xCAT)is not vulnerable to the Bash
vulnerabilities that have been referred to as “Bash Bug” or “Shellshock”
and the two memory corruption vulnerabilities.
Content
· Extreme Cloud Administration Toolkit (xCAT) in all editions and all
platforms is NOT vulnerable to the Bash vulnerabilities (CVE-2014-6271,
CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and
CVE-2014-6278).
Remediation: Check your OS for recommended patches.
Lissa K. Valletta
8-3/B10
Poughkeepsie, NY 12601
(tie 293) 433-3102
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
xCAT-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/xcat-user
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
xCAT-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/xcat-user
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
xCAT-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/xcat-user
