Updates have now been pushed to the paid repos.

I have released updates for the Community and they should now be available in the overnight updates or you can do a manual "yum update".

For paid users I was going to wait a couple of days, just in case there are issues with some of the updates (we normally wait a week). There should not ba any issues and I have been running with them since they were released, so for PwnKit, since just before my contract was terminated. If any paid users want to jump the gun, just do a:

yum update --enablerepo=clearos-centos-updates,clearos-epel

It should be safe.

Von Royce Wallace wrote:
The mitigation

For Pwnkit is

chmod 0755 /usr/bin/pkexec

Sort of a bandaid util you get the patches (if they ever come)

I have no idea what the collateral damage of that mitigation is. The webconfig makes extensive use of sudo.

The other two cve do not seem to apply first one module is not loaded

I am not so sure. See /etc/httpd/conf.modules.d/00-lua.conf

Second samba does not have the entry in smb.conf

I tend to agree as we don't use vfs_fruit in Flexshares, but we should patch anyway in case any users manually configure their samba shares (like I do for some of mine, but, even then, I don't use vfs_fruit).

Nick Howitt wrote:

Sad, but, as well as that, there are now 2 unpatched CVE's which Redhat have rated Critical:
CVE-2021-44790 - somewhere in apache/httpd
CVE-2021-44142 - samba

PwnKit (CVE-2021-4034) is not classed as critical by Redhat, just Important and there are a number of other CVE's classified as Important with a higher score than PwnKit which are also needing patches.

It seems that Clearcenter have made an edict about the terms they now want to apply to their staff and the edict is more important than their customers.

The mitigation

For Pwnkit is

chmod 0755 /usr/bin/pkexec

Sort of a bandaid util you get the patches (if they ever come)

The other two cve do not seem to apply first one module is not loaded
Second samba does not have the entry in smb.conf

Sad, but, as well as that, there are now 2 unpatched CVE's which Redhat have rated Critical:
CVE-2021-44790 - somewhere in apache/httpd
CVE-2021-44142 - samba

PwnKit (CVE-2021-4034) is not classed as critical by Redhat, just Important and there are a number of other CVE's classified as Important with a higher score than PwnKit which are also needing patches.

It seems that Clearcenter have made an edict about the terms they now want to apply to their staff and the edict is more important than their customers.

Man Nick this forum support is built on your expertise. Its why I paid the money for it because I knew someone would be there to point me in the right direction if I asked. You have been instrumental in me setting up my website, sql, email etc.

Now the future is very unclear as they must move on to something else for their linux platform and there is no one to support it like you did, wow...

I am going to have to start looking around at other options. Now that it's vulnerable!

I thought you did a hell of a job, always on point and responsive.

If they wish to jump the hurdle for the next OS, they will need you or someone like you rowing the boat.

I wish you the best.

I have worried about the future of clearos for some time with the CentOs changes, I did find that info that the CEO posted reassuring, however; where the rubber meets the road I have my doubts now.

Thanks for your words, but in all likelihood I will be dropping out of the forums.

Also note that there are 4 vulnerabilities in Apache (httpd) which were due to be fixed today, one of which is classed as critical. For all I know, Clearcenter may have it covered, but I have no idea.

Nick,

OH NO! First it sucks that another vulnerability exists, but luckily it is found but more importantly we (I), don't want to see you disappear!!! I am hoping that things will work out as you have been more than great helping us on this forum, fixing stuff, preparing updates and everything!

PLEASE keep us posted.

John

I can confirm that ClearOS is vulnerable to this exploit. I was going to release the fix today on the normal update day but unfortunately Clearcenter have terminated my contract when I was unable to accept their revised terms. I now no longer work for them and have no idea when they plan to issue the update or who they even have in mind to do the ClearOS release maintenance. Until the fix is released, ClearOS will remain vulnerable.