On 03/02/12 13:37, Tom Hendrikx wrote: > On 03/02/12 03:50, Brian Kroth wrote:
>> Tom Hendrikx <firstname.lastname@example.org> 2012-02-02 21:42:
>>> On 27/01/12 14:37, Anthony G. Basile wrote:
>>>> Hi everyone,
>>>> I just added hardened-sources 2.6.32-r88 and 3.2.2 to the tree. They
>>>> address CVE-2012-0056. I've tested and they do indeed resist the
>>>> exploit. I will be stabilizing them within 24 hours. However, I feel
>>>> very uncomfortable doing so because I don't want to trade one set of
>>>> problems with another. If anyone has time to test, let me know if you
>>>> encounter any issues.
>>> I am still using 2.6.* sources here on one machine pending resolution of
>>> bug https://bugs.gentoo.org/show_bug.cgi?id=386721 (if it will ever
>>> happen :/ ).
>> Are those open-vm kernel modules still necessary? It was my
>> understanding that most/all of the guest modules for more efficient
>> virtual hardware support were included in the mainline kernel now:
> I did some more investigation. None of the three in-tree
> open-vm-tools-kmod ebuilds compile against 2.6.32-r89, building a
> 3.2.2-r1 kernel now to test against that.
The same goes for 3.2.2-r1: none of the -kmod packages build against it.
this means that the state of the -kmod package is a security issue,
since it cannot be used with a non-vulnerable -hardened kernel. I'll add
this to the bug report. >
> I thought that I needed the -kmod package to run open-vm-tools in the
> guest, but after some more research this might only apply when you want
> drag-and-drop support (useless for (headless) server). The open-vm-tools
> ebuilds list the -kmod package as a hard RDEPEND though. I'll do some
> tests later today/during the weekend.
Just booted a 3.2.2-r1-hardened kernel, and vmware-tools stuff seems to
run fine with the in-kernel vmware support. Not sure about performance
etc, but it boots, generates no errors and VSphere in the host reports
no issues either.
We might just need an updated open-vm-tools package that only depends on
the in-kernel stuff, and no longer on the -kmod package. I'll try to
followup with the vmware people, as this is getting OT here ;)