Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Lack of CL7 kernel updates

Discussion in 'CloudLinux' started by Trane Francks, Jul 18, 2018.

  1. Trane Francks

    Trane Francks Well-Known Member

    Joined:
    Jun 19, 2012
    Messages:
    88
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    Machida, Tokyo, Japan
    cPanel Access Level:
    Root Administrator
    I'm putting this here because we have a CL license via our cPanel sub.

    I'm concerned about the lack of CloudLinux 7 kernel updates vs what has come down the pipe from CentOS (our server base prior to installing CL). Investigation shows the last CL7 kernel went beta May 23 and production on June 11 (JST, so give or take a day for your locale). Meanwhile, CentOS 7 has had production releases of the kernel on May 23, May 31, June 16, July 7 and July 18.

    Of those CentOS releases, 3 are Important CVEs, 1 is Moderate and one is a bug fix.

    Anybody have any thoughts or information? I like CL for MySQL Governor, CageFS and mod_lsapi, but the serious lack of speed for kernel updates is a major concern. All those benefits go out the window in the face of an exploited vulnerability.
     
  2. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,194
    Likes Received:
    159
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Trane Francks

    I can confirm that they have, thus far, released fewer kernel updates this year compared to last year (based off their updates on https://www.cloudlinux.com/cloudlinux-os-blog). I am unaware if there is a specific issue that has prevented them from releasing a new kernel since June 11. I do believe they are currently working on a new kernel release that addresses CVE-2018-3665 but further information into when specifically that will be published is not available. Their reasoning behind not releasing more updates we aren't privy to, though I'm sure they're working diligently.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Trane Francks likes this.
  3. Trane Francks

    Trane Francks Well-Known Member

    Joined:
    Jun 19, 2012
    Messages:
    88
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    Machida, Tokyo, Japan
    cPanel Access Level:
    Root Administrator
    I had an exchange with CloudLinux support about the release schedule, but was not, I think, given an adequate explanation. Basically, the reply was "we don't take downstream kernels from CentOS, we do our own fixes." Updates can be found on the blog (which I take as an RSS feed and track daily) or from the command line via the following command:

    Code:
    rpm -q --changelog kernel | grep -i cve
    Running that on my up-to-date CloudLinux 7.5 system shows that the latest CVE is from 2017.

    I cannot say that I'm satisfied. There have been a number of Important/Critical CVEs released for the Linux kernel in 2018.
     
  4. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,194
    Likes Received:
    159
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Trane Francks

    I spoke to some folks at Cloudlinux about this specific thread today and I was told that they are currently working on a kernel update with CVE-2018 items included based on 3.10.0-862. They noted that it should be ready in a couple of weeks, they also noted because the kernel is different from the stock CentOS kernel it does take some time to push updates. I do believe there may have been unexpected issues with the specific updates they were attempting, this isn't something that is officially released nor do I have any further information. I just know they do rigorously test kernel updates before they're released and it would explain a bit of a delay in releasing.

    Also, in the event that you have a kernelcare subscription, the kernel has been patched against several CVE-2018 items fixed in 3.10.0-862.2.3.el7 you can see them all here: https://patches.kernelcare.com/7cb7fa223653275a4b809b362a079e763dda7354/4/kpatch.html
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Trane Francks

    Trane Francks Well-Known Member

    Joined:
    Jun 19, 2012
    Messages:
    88
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    Machida, Tokyo, Japan
    cPanel Access Level:
    Root Administrator
    Hi, Lauren.

    I don't doubt that CL told you that a kernel would be ready in a couple of weeks, but I find it rather doubtful since there are no CloudLinux 7 kernels currently in beta. Perhaps they meant that a beta release would be available in a couple of weeks. If that's true, it's likely to be a month or more before it reaches production. The greater the number of fixes included in a particular kernel release, the longer the beta tends to be because of the greater likelihood of trouble arising.
     
  6. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,194
    Likes Received:
    159
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Trane Francks

    They did confirm it wouldn't be into beta for a couple of weeks and it's unknown how long it would remain in beta. So your timeline on this is pretty accurate. As I mentioned before KernelCare does apply these patches more quickly though it does require a subscription.

    Unfortunately, their kernel release scheduling is out of our control, as is information on why it's taking longer than previous releases. I am sorry we couldn't be of more assistance in this respect.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice