However after the install running yum update lists an new version from 2.6.32-642.6.1.el6.centos.plus from installation source Base-debuginfo even though the installed version is the same number.
This update stops the mitigation script from working.
I’d be very interested to hear other’s experiences with that, though I personally had not, I only have experience updating the kernel packages and rebooting.
Yes to me it seems odd that it should try and get the package from CentOs Plus even though it is not enabled. However since Redhat / CentOS have not come up with a patch for the vulnerability that is my main concern at the moment and whether or not it is advisable to run the mitigation script.
I think Red Hat have now come up with a fix for v7 via update? “This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2098”. If so, hopefully the CentOS folks will have this available via “yum update” very soon.
I found out that the reason why it tries to update from CentOS plus is that when installing the initial kernel-debuginfo it also installs yum-plugin-auto-update-debug-info. Why this should then try and get it from Centos Plus I’ve no idea but uninstalling it removes it from yum update.
From Redhat in the same thread you posted “RHEL5 and RHEL6 are vulnerable. However, the in the wild exploit we are aware of doesn’t work on RHEL5 and RHEL6 out of the box,”
So presumably they’ll patch it for 5 and 6 though maybe not as soon as for 7.