We just published the latest CentOS 6 and 7 images for Vagrant, with updates from 2017-07-02 (when the v1706.01 images were built). These images contain important security fixes, as well as fixing some regressions introduced by the initial patch for the “stack clash” vulnerability.

We had released unscheduled updates to our images on June 16th, very soon after the Red Hat security bulletin and sources were available. While regressions do happen (Debian had similar problems with their initial fix, and had to issue another update), I wonder if we shouldn’t have waited a little longer: if I understand Qualys’ blog correctly, “stack clash” only makes it much easier to exploit a buffer overflow, by making the kernel’s stack guard page ineffective. From this perspective, there’s immediate danger only in combination with another vulnerability. Considering that the initial fixes had some issues with Java, some setups might have been better off waiting a few days to avoid downtime.

Perhaps also important, Hashicorp now hosts the Vagrant images on Vagrant Cloud, instead of Atlas as before. They announced that redirects will be issued from Atlas, so there should be no visible impact on Vagrant users. I haven’t updated Endymion yet, but it’s still working as before, despite issuing requests to Atlas; I hope that the Vagrant version from SCL keeps working. If you experience any problems, please post a message on the centos-devel mailing list (subscription required) or contact me at [email protected].

Back to posts