TranslateProject/published/201707/20170620 How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 .md

如何修补和保护 Linux 内核堆栈冲突漏洞 CVE-2017-1000364
============================================================

在 Linux 内核中发现了一个名为 “Stack Clash” 的严重安全问题，攻击者能够利用它来破坏内存数据并执行任意代码。攻击者可以利用这个及另一个漏洞来执行任意代码并获得管理帐户（root）权限。

在 Linux 中该如何解决这个问题？

 [![the-stack-clash-on-linux-openbsd-netbsd-freebsd-solaris](https://www.cyberciti.biz/media/new/faq/2017/06/the-stack-clash-on-linux-openbsd-netbsd-freebsd-solaris.jpeg)][22] 

Qualys 研究实验室在 GNU C Library（CVE-2017-1000366）的动态链接器中发现了许多问题，它们通过与 Linux 内核内的堆栈冲突来允许本地特权升级。这个 bug 影响到了  i386 和 amd64 上的 Linux、OpenBSD、NetBSD、FreeBSD 和 Solaris。攻击者可以利用它来破坏内存数据并执行任意代码。

### 什么是 CVE-2017-1000364 bug？

[来自 RHN][13]：

> 在用户空间二进制文件的堆栈中分配内存的方式发现了一个缺陷。如果堆（或不同的内存区域）和堆栈内存区域彼此相邻，则攻击者可以使用此缺陷跳过堆栈保护区域，从而导致进程堆栈或相邻内存区域的受控内存损坏，从而增加其系统权限。有一个在内核中减轻这个漏洞的方法，将堆栈保护区域大小从一页增加到 1 MiB，从而使成功利用这个功能变得困难。

[据原研究文章][14]：

> 计算机上运行的每个程序都使用一个称为堆栈的特殊内存区域。这个内存区域是特别的，因为当程序需要更多的堆栈内存时，它会自动增长。但是，如果它增长太多，并且与另一个内存区域太接近，程序可能会将堆栈与其他内存区域混淆。攻击者可以利用这种混乱来覆盖其他内存区域的堆栈，或者反过来。

### 受到影响的 Linux 发行版

1.  Red Hat Enterprise Linux Server 5.x
2.  Red Hat Enterprise Linux Server 6.x
3.  Red Hat Enterprise Linux Server 7.x
4.  CentOS Linux Server 5.x
5.  CentOS Linux Server 6.x
6.  CentOS Linux Server 7.x
7.  Oracle Enterprise Linux Server 5.x
8.  Oracle Enterprise Linux Server 6.x
9.  Oracle Enterprise Linux Server 7.x
10.  Ubuntu 17.10
11.  Ubuntu 17.04
12.  Ubuntu 16.10
13.  Ubuntu 16.04 LTS
14.  Ubuntu 12.04 ESM (Precise Pangolin)
15.  Debian 9 stretch
16.  Debian 8 jessie
17.  Debian 7 wheezy
18.  Debian unstable
19.  SUSE Linux Enterprise Desktop 12 SP2
20.  SUSE Linux Enterprise High Availability 12 SP2
21.  SUSE Linux Enterprise Live Patching 12
22.  SUSE Linux Enterprise Module for Public Cloud 12
23.  SUSE Linux Enterprise Build System Kit 12 SP2
24.  SUSE Openstack Cloud Magnum Orchestration 7
25.  SUSE Linux Enterprise Server 11 SP3-LTSS
26.  SUSE Linux Enterprise Server 11 SP4
27.  SUSE Linux Enterprise Server 12 SP1-LTSS
28.  SUSE Linux Enterprise Server 12 SP2
29.  SUSE Linux Enterprise Server for Raspberry Pi 12 SP2

### 我需要重启我的电脑么？

是的，由于大多数服务依赖于 GNU C Library 的动态连接器，并且内核自身需要在内存中重新加载。

### 我该如何在 Linux 中修复 CVE-2017-1000364？

根据你的 Linux 发行版来输入命令。你需要重启电脑。在应用补丁之前，记下你当前内核的版本：

```
$ uname -a
$ uname -mrs
```

示例输出：

```
Linux 4.4.0-78-generic x86_64
```

### Debian 或者 Ubuntu Linux

输入下面的 [apt 命令][15] / [apt-get 命令][16]来应用更新：

```
$ sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade
```

示例输出：

```
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  libc-bin libc-dev-bin libc-l10n libc6 libc6-dev libc6-i386 linux-compiler-gcc-6-x86 linux-headers-4.9.0-3-amd64 linux-headers-4.9.0-3-common linux-image-4.9.0-3-amd64
  linux-kbuild-4.9 linux-libc-dev locales multiarch-support
14 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/62.0 MB of archives.
After this operation, 4,096 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Reading changelogs... Done
Preconfiguring packages ...
(Reading database ... 115123 files and directories currently installed.)
Preparing to unpack .../libc6-i386_2.24-11+deb9u1_amd64.deb ...
Unpacking libc6-i386 (2.24-11+deb9u1) over (2.24-11) ...
Preparing to unpack .../libc6-dev_2.24-11+deb9u1_amd64.deb ...
Unpacking libc6-dev:amd64 (2.24-11+deb9u1) over (2.24-11) ...
Preparing to unpack .../libc-dev-bin_2.24-11+deb9u1_amd64.deb ...
Unpacking libc-dev-bin (2.24-11+deb9u1) over (2.24-11) ...
Preparing to unpack .../linux-libc-dev_4.9.30-2+deb9u1_amd64.deb ...
Unpacking linux-libc-dev:amd64 (4.9.30-2+deb9u1) over (4.9.30-2) ...
Preparing to unpack .../libc6_2.24-11+deb9u1_amd64.deb ...
Unpacking libc6:amd64 (2.24-11+deb9u1) over (2.24-11) ...
Setting up libc6:amd64 (2.24-11+deb9u1) ...
(Reading database ... 115123 files and directories currently installed.)
Preparing to unpack .../libc-bin_2.24-11+deb9u1_amd64.deb ...
Unpacking libc-bin (2.24-11+deb9u1) over (2.24-11) ...
Setting up libc-bin (2.24-11+deb9u1) ...
(Reading database ... 115123 files and directories currently installed.)
Preparing to unpack .../multiarch-support_2.24-11+deb9u1_amd64.deb ...
Unpacking multiarch-support (2.24-11+deb9u1) over (2.24-11) ...
Setting up multiarch-support (2.24-11+deb9u1) ...
(Reading database ... 115123 files and directories currently installed.)
Preparing to unpack .../0-libc-l10n_2.24-11+deb9u1_all.deb ...
Unpacking libc-l10n (2.24-11+deb9u1) over (2.24-11) ...
Preparing to unpack .../1-locales_2.24-11+deb9u1_all.deb ...
Unpacking locales (2.24-11+deb9u1) over (2.24-11) ...
Preparing to unpack .../2-linux-compiler-gcc-6-x86_4.9.30-2+deb9u1_amd64.deb ...
Unpacking linux-compiler-gcc-6-x86 (4.9.30-2+deb9u1) over (4.9.30-2) ...
Preparing to unpack .../3-linux-headers-4.9.0-3-amd64_4.9.30-2+deb9u1_amd64.deb ...
Unpacking linux-headers-4.9.0-3-amd64 (4.9.30-2+deb9u1) over (4.9.30-2) ...
Preparing to unpack .../4-linux-headers-4.9.0-3-common_4.9.30-2+deb9u1_all.deb ...
Unpacking linux-headers-4.9.0-3-common (4.9.30-2+deb9u1) over (4.9.30-2) ...
Preparing to unpack .../5-linux-kbuild-4.9_4.9.30-2+deb9u1_amd64.deb ...
Unpacking linux-kbuild-4.9 (4.9.30-2+deb9u1) over (4.9.30-2) ...
Preparing to unpack .../6-linux-image-4.9.0-3-amd64_4.9.30-2+deb9u1_amd64.deb ...
Unpacking linux-image-4.9.0-3-amd64 (4.9.30-2+deb9u1) over (4.9.30-2) ...
Setting up linux-libc-dev:amd64 (4.9.30-2+deb9u1) ...
Setting up linux-headers-4.9.0-3-common (4.9.30-2+deb9u1) ...
Setting up libc6-i386 (2.24-11+deb9u1) ...
Setting up linux-compiler-gcc-6-x86 (4.9.30-2+deb9u1) ...
Setting up linux-kbuild-4.9 (4.9.30-2+deb9u1) ...
Setting up libc-l10n (2.24-11+deb9u1) ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up libc-dev-bin (2.24-11+deb9u1) ...
Setting up linux-image-4.9.0-3-amd64 (4.9.30-2+deb9u1) ...
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-4.9.0-3-amd64
cryptsetup: WARNING: failed to detect canonical device of /dev/md0
cryptsetup: WARNING: could not determine root device from /etc/fstab
W: initramfs-tools configuration sets RESUME=UUID=054b217a-306b-4c18-b0bf-0ed85af6c6e1
W: but no matching swap device is available.
I: The initramfs will attempt to resume from /dev/md1p1
I: (UUID=bf72f3d4-3be4-4f68-8aae-4edfe5431670)
I: Set the RESUME variable to override this.
/etc/kernel/postinst.d/zz-update-grub:
Searching for GRUB installation directory ... found: /boot/grub
Searching for default file ... found: /boot/grub/default
Testing for an existing GRUB menu.lst file ... found: /boot/grub/menu.lst
Searching for splash image ... none found, skipping ...
Found kernel: /boot/vmlinuz-4.9.0-3-amd64
Found kernel: /boot/vmlinuz-3.16.0-4-amd64
Updating /boot/grub/menu.lst ... done

Setting up libc6-dev:amd64 (2.24-11+deb9u1) ...
Setting up locales (2.24-11+deb9u1) ...
Generating locales (this might take a while)...
  en_IN.UTF-8... done
Generation complete.
Setting up linux-headers-4.9.0-3-amd64 (4.9.30-2+deb9u1) ...
Processing triggers for libc-bin (2.24-11+deb9u1) ...
```

使用 [reboot 命令][17]重启桌面/服务器：

```
$ sudo reboot
```

### Oracle/RHEL/CentOS/Scientific Linux

输入下面的 [yum 命令][18]：

```
$ sudo yum update
$ sudo reboot
```

### Fedora Linux

输入下面的 dnf 命令：

```
$ sudo dnf update
$ sudo reboot
```

### Suse Enterprise Linux 或者 Opensuse Linux

输入下面的 zypper 命令：

```
$ sudo zypper patch
$ sudo reboot
```

### SUSE OpenStack Cloud 6

```
$ sudo zypper in -t patch SUSE-OpenStack-Cloud-6-2017-996=1
$ sudo reboot
```

### SUSE Linux Enterprise Server for SAP 12-SP1

```
$ sudo zypper in -t patch SUSE-SLE-SAP-12-SP1-2017-996=1
$ sudo reboot
```

### SUSE Linux Enterprise Server 12-SP1-LTSS

```
$ sudo zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-996=1
$ sudo reboot
```

### SUSE Linux Enterprise Module for Public Cloud 12

```
$ sudo zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2017-996=1
$ sudo reboot
```

### 验证

你需要确认你的版本号在 [reboot 命令][19]之后改变了。

```
$ uname -a
$ uname -r
$ uname -mrs
```

示例输出：

```
Linux 4.4.0-81-generic x86_64
```

### 给 OpenBSD 用户的注意事项

见[此页][20]获取更多信息。

### 给 Oracle Solaris 的注意事项

[见此页][20]获取更多信息。

### 参考

*   [堆栈冲突][4]

--------------------------------------------------------------------------------
作者简介:

Vivek Gite

作者是 nixCraft 的创始人，对于 Linux 操作系统/Unix shell脚本有经验丰富的系统管理员和培训师。他曾与全球客户及各行各业，包括 IT、教育、国防和空间研究以及非营利部门合作。在 [Twitter][1]、[Facebook] [2]、[Google +] [3] 上关注他。

--------------------------------------------------------------------------------

via: https://www.cyberciti.biz/faq/howto-patch-linux-kernel-stack-clash-vulnerability-cve-2017-1000364/

作者：[Vivek Gite][a]
译者：[geekpi](https://github.com/geekpi)
校对：[wxy](https://github.com/wxy)

本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出

[a]:https://plus.google.com/+CybercitiBiz
[1]:https://twitter.com/nixcraft
[2]:https://facebook.com/nixcraft
[3]:https://plus.google.com/+CybercitiBiz
[4]:https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash
[5]:https://www.cyberciti.biz/faq/howto-patch-linux-kernel-stack-clash-vulnerability-cve-2017-1000364/
[6]:https://www.cyberciti.biz/faq/category/centos/
[7]:https://www.cyberciti.biz/faq/category/debian-ubuntu/
[8]:https://www.cyberciti.biz/faq/category/linux/
[9]:https://www.cyberciti.biz/faq/category/redhat-and-friends/
[10]:https://www.cyberciti.biz/faq/category/security/
[11]:https://www.cyberciti.biz/faq/category/suse/
[12]:https://www.cyberciti.biz/faq/category/linux/
[13]:https://access.redhat.com/security/cve/cve-2017-1000364
[14]:https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash
[15]:https://www.cyberciti.biz/faq/ubuntu-lts-debian-linux-apt-command-examples/
[16]:https://www.cyberciti.biz/tips/linux-debian-package-management-cheat-sheet.html
[17]:https://www.cyberciti.biz/faq/linux-reboot-command/
[18]:https://www.cyberciti.biz/faq/rhel-centos-fedora-linux-yum-command-howto/
[19]:https://www.cyberciti.biz/faq/linux-reboot-command/
[20]:https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/008_exec_subr.patch.sig
[21]:http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-3629-3757403.html
[22]:https://www.cyberciti.biz/media/new/faq/2017/06/the-stack-clash-on-linux-openbsd-netbsd-freebsd-solaris.jpeg
-												PRF&PUB:20170620 How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 .md

@geekpi

											
										
										
											2017-07-11 22:37:54 +08:00
+								如何修补和保护 Linux 内核堆栈冲突漏洞 CVE-2017-1000364
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
+								============================================================
-												PRF&PUB:20170620 How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 .md

@geekpi

											
										
										
											2017-07-11 22:37:54 +08:00
+								在 Linux 内核中发现了一个名为 “Stack Clash” 的严重安全问题，攻击者能够利用它来破坏内存数据并执行任意代码。攻击者可以利用这个及另一个漏洞来执行任意代码并获得管理帐户（root）权限。
 								在 Linux 中该如何解决这个问题？
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
 								 [![the-stack-clash-on-linux-openbsd-netbsd-freebsd-solaris](https://www.cyberciti.biz/media/new/faq/2017/06/the-stack-clash-on-linux-openbsd-netbsd-freebsd-solaris.jpeg)][22]
-												PRF&PUB:20170620 How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 .md

@geekpi

											
										
										
											2017-07-11 22:37:54 +08:00
 								Qualys 研究实验室在 GNU C Library（CVE-2017-1000366）的动态链接器中发现了许多问题，它们通过与 Linux 内核内的堆栈冲突来允许本地特权升级。这个 bug 影响到了  i386 和 amd64 上的 Linux、OpenBSD、NetBSD、FreeBSD 和 Solaris。攻击者可以利用它来破坏内存数据并执行任意代码。
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
-												translated

											
										
										
											2017-07-10 15:04:16 +08:00
+								### 什么是 CVE-2017-1000364 bug？
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
-												PRF&PUB:20170620 How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 .md

@geekpi

											
										
										
											2017-07-11 22:37:54 +08:00
+								[来自 RHN][13]：
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
-												PRF&PUB:20170620 How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 .md

@geekpi

											
										
										
											2017-07-11 22:37:54 +08:00
+								> 在用户空间二进制文件的堆栈中分配内存的方式发现了一个缺陷。如果堆（或不同的内存区域）和堆栈内存区域彼此相邻，则攻击者可以使用此缺陷跳过堆栈保护区域，从而导致进程堆栈或相邻内存区域的受控内存损坏，从而增加其系统权限。有一个在内核中减轻这个漏洞的方法，将堆栈保护区域大小从一页增加到 1 MiB，从而使成功利用这个功能变得困难。
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
-												PRF&PUB:20170620 How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 .md

@geekpi

											
										
										
											2017-07-11 22:37:54 +08:00
+								[据原研究文章][14]：
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
-												translated

											
										
										
											2017-07-10 15:04:16 +08:00
+								> 计算机上运行的每个程序都使用一个称为堆栈的特殊内存区域。这个内存区域是特别的，因为当程序需要更多的堆栈内存时，它会自动增长。但是，如果它增长太多，并且与另一个内存区域太接近，程序可能会将堆栈与其他内存区域混淆。攻击者可以利用这种混乱来覆盖其他内存区域的堆栈，或者反过来。
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
-												PRF&PUB:20170620 How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 .md

@geekpi

											
										
										
											2017-07-11 22:37:54 +08:00
+								### 受到影响的 Linux 发行版
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
 .  Red Hat Enterprise Linux Server 5.x
 .  Red Hat Enterprise Linux Server 6.x
 .  Red Hat Enterprise Linux Server 7.x
 .  CentOS Linux Server 5.x
 .  CentOS Linux Server 6.x
 .  CentOS Linux Server 7.x
 .  Oracle Enterprise Linux Server 5.x
 .  Oracle Enterprise Linux Server 6.x
 .  Oracle Enterprise Linux Server 7.x
 .  Ubuntu 17.10
 .  Ubuntu 17.04
 .  Ubuntu 16.10
 .  Ubuntu 16.04 LTS
 .  Ubuntu 12.04 ESM (Precise Pangolin)
 .  Debian 9 stretch
 .  Debian 8 jessie
 .  Debian 7 wheezy
 .  Debian unstable
 .  SUSE Linux Enterprise Desktop 12 SP2
 .  SUSE Linux Enterprise High Availability 12 SP2
 .  SUSE Linux Enterprise Live Patching 12
 .  SUSE Linux Enterprise Module for Public Cloud 12
 .  SUSE Linux Enterprise Build System Kit 12 SP2
 .  SUSE Openstack Cloud Magnum Orchestration 7
 .  SUSE Linux Enterprise Server 11 SP3-LTSS
 .  SUSE Linux Enterprise Server 11 SP4
 .  SUSE Linux Enterprise Server 12 SP1-LTSS
 .  SUSE Linux Enterprise Server 12 SP2
 .  SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
-												translated

											
										
										
											2017-07-10 15:04:16 +08:00
+								### 我需要重启我的电脑么？
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
-												translated

											
										
										
											2017-07-10 15:04:16 +08:00
+								是的，由于大多数服务依赖于 GNU C Library 的动态连接器，并且内核自身需要在内存中重新加载。
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
-												translated

											
										
										
											2017-07-10 15:04:16 +08:00
+								### 我该如何在 Linux 中修复 CVE-2017-1000364？
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
-												PRF&PUB:20170620 How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 .md

@geekpi

											
										
										
											2017-07-11 22:37:54 +08:00
+								根据你的 Linux 发行版来输入命令。你需要重启电脑。在应用补丁之前，记下你当前内核的版本：
 								```
 								$ uname -a
 								$ uname -mrs
 								```
-												translated

											
										
										
											2017-07-10 15:04:16 +08:00
+								示例输出：
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
 								```
 								Linux 4.4.0-78-generic x86_64
 								```
-												translated

											
										
										
											2017-07-10 15:04:16 +08:00
+								### Debian 或者 Ubuntu Linux
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
-												PRF&PUB:20170620 How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 .md

@geekpi

											
										
										
											2017-07-11 22:37:54 +08:00
+								输入下面的 [apt 命令][15] / [apt-get 命令][16]来应用更新：
 								```
 								$ sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade
 								```
-												translated

											
										
										
											2017-07-10 15:04:16 +08:00
+								示例输出：
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
 								```
 								Reading package lists... Done
 								Building dependency tree
 								Reading state information... Done
 								Calculating upgrade... Done
 								The following packages will be upgraded:
 								  libc-bin libc-dev-bin libc-l10n libc6 libc6-dev libc6-i386 linux-compiler-gcc-6-x86 linux-headers-4.9.0-3-amd64 linux-headers-4.9.0-3-common linux-image-4.9.0-3-amd64
 								  linux-kbuild-4.9 linux-libc-dev locales multiarch-support
 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
 								Need to get 0 B/62.0 MB of archives.
 								After this operation, 4,096 B of additional disk space will be used.
 								Do you want to continue? [Y/n] y
 								Reading changelogs... Done
 								Preconfiguring packages ...
 								(Reading database ... 115123 files and directories currently installed.)
 								Preparing to unpack .../libc6-i386_2.24-11+deb9u1_amd64.deb ...
 								Unpacking libc6-i386 (2.24-11+deb9u1) over (2.24-11) ...
 								Preparing to unpack .../libc6-dev_2.24-11+deb9u1_amd64.deb ...
 								Unpacking libc6-dev:amd64 (2.24-11+deb9u1) over (2.24-11) ...
 								Preparing to unpack .../libc-dev-bin_2.24-11+deb9u1_amd64.deb ...
 								Unpacking libc-dev-bin (2.24-11+deb9u1) over (2.24-11) ...
 								Preparing to unpack .../linux-libc-dev_4.9.30-2+deb9u1_amd64.deb ...
 								Unpacking linux-libc-dev:amd64 (4.9.30-2+deb9u1) over (4.9.30-2) ...
 								Preparing to unpack .../libc6_2.24-11+deb9u1_amd64.deb ...
 								Unpacking libc6:amd64 (2.24-11+deb9u1) over (2.24-11) ...
 								Setting up libc6:amd64 (2.24-11+deb9u1) ...
 								(Reading database ... 115123 files and directories currently installed.)
 								Preparing to unpack .../libc-bin_2.24-11+deb9u1_amd64.deb ...
 								Unpacking libc-bin (2.24-11+deb9u1) over (2.24-11) ...
 								Setting up libc-bin (2.24-11+deb9u1) ...
 								(Reading database ... 115123 files and directories currently installed.)
 								Preparing to unpack .../multiarch-support_2.24-11+deb9u1_amd64.deb ...
 								Unpacking multiarch-support (2.24-11+deb9u1) over (2.24-11) ...
 								Setting up multiarch-support (2.24-11+deb9u1) ...
 								(Reading database ... 115123 files and directories currently installed.)
 								Preparing to unpack .../0-libc-l10n_2.24-11+deb9u1_all.deb ...
 								Unpacking libc-l10n (2.24-11+deb9u1) over (2.24-11) ...
 								Preparing to unpack .../1-locales_2.24-11+deb9u1_all.deb ...
 								Unpacking locales (2.24-11+deb9u1) over (2.24-11) ...
 								Preparing to unpack .../2-linux-compiler-gcc-6-x86_4.9.30-2+deb9u1_amd64.deb ...
 								Unpacking linux-compiler-gcc-6-x86 (4.9.30-2+deb9u1) over (4.9.30-2) ...
 								Preparing to unpack .../3-linux-headers-4.9.0-3-amd64_4.9.30-2+deb9u1_amd64.deb ...
 								Unpacking linux-headers-4.9.0-3-amd64 (4.9.30-2+deb9u1) over (4.9.30-2) ...
 								Preparing to unpack .../4-linux-headers-4.9.0-3-common_4.9.30-2+deb9u1_all.deb ...
 								Unpacking linux-headers-4.9.0-3-common (4.9.30-2+deb9u1) over (4.9.30-2) ...
 								Preparing to unpack .../5-linux-kbuild-4.9_4.9.30-2+deb9u1_amd64.deb ...
 								Unpacking linux-kbuild-4.9 (4.9.30-2+deb9u1) over (4.9.30-2) ...
 								Preparing to unpack .../6-linux-image-4.9.0-3-amd64_4.9.30-2+deb9u1_amd64.deb ...
 								Unpacking linux-image-4.9.0-3-amd64 (4.9.30-2+deb9u1) over (4.9.30-2) ...
 								Setting up linux-libc-dev:amd64 (4.9.30-2+deb9u1) ...
 								Setting up linux-headers-4.9.0-3-common (4.9.30-2+deb9u1) ...
 								Setting up libc6-i386 (2.24-11+deb9u1) ...
 								Setting up linux-compiler-gcc-6-x86 (4.9.30-2+deb9u1) ...
 								Setting up linux-kbuild-4.9 (4.9.30-2+deb9u1) ...
 								Setting up libc-l10n (2.24-11+deb9u1) ...
 								Processing triggers for man-db (2.7.6.1-2) ...
 								Setting up libc-dev-bin (2.24-11+deb9u1) ...
 								Setting up linux-image-4.9.0-3-amd64 (4.9.30-2+deb9u1) ...
 								/etc/kernel/postinst.d/initramfs-tools:
 								update-initramfs: Generating /boot/initrd.img-4.9.0-3-amd64
 								cryptsetup: WARNING: failed to detect canonical device of /dev/md0
 								cryptsetup: WARNING: could not determine root device from /etc/fstab
 								W: initramfs-tools configuration sets RESUME=UUID=054b217a-306b-4c18-b0bf-0ed85af6c6e1
 								W: but no matching swap device is available.
 								I: The initramfs will attempt to resume from /dev/md1p1
 								I: (UUID=bf72f3d4-3be4-4f68-8aae-4edfe5431670)
 								I: Set the RESUME variable to override this.
 								/etc/kernel/postinst.d/zz-update-grub:
 								Searching for GRUB installation directory ... found: /boot/grub
 								Searching for default file ... found: /boot/grub/default
 								Testing for an existing GRUB menu.lst file ... found: /boot/grub/menu.lst
 								Searching for splash image ... none found, skipping ...
 								Found kernel: /boot/vmlinuz-4.9.0-3-amd64
 								Found kernel: /boot/vmlinuz-3.16.0-4-amd64
 								Updating /boot/grub/menu.lst ... done
 								Setting up libc6-dev:amd64 (2.24-11+deb9u1) ...
 								Setting up locales (2.24-11+deb9u1) ...
 								Generating locales (this might take a while)...
 								  en_IN.UTF-8... done
 								Generation complete.
 								Setting up linux-headers-4.9.0-3-amd64 (4.9.30-2+deb9u1) ...
 								Processing triggers for libc-bin (2.24-11+deb9u1) ...
 								```
-												PRF&PUB:20170620 How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 .md

@geekpi

											
										
										
											2017-07-11 22:37:54 +08:00
+								使用 [reboot 命令][17]重启桌面/服务器：
 								```
 								$ sudo reboot
 								```
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
 								### Oracle/RHEL/CentOS/Scientific Linux
-												PRF&PUB:20170620 How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 .md

@geekpi

											
										
										
											2017-07-11 22:37:54 +08:00
+								输入下面的 [yum 命令][18]：
 								```
 								$ sudo yum update
 								$ sudo reboot
 								```
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
 								### Fedora Linux
-												translated

											
										
										
											2017-07-10 15:04:16 +08:00
+								输入下面的 dnf 命令：
-												PRF&PUB:20170620 How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 .md

@geekpi

											
										
										
											2017-07-11 22:37:54 +08:00
 								```
 								$ sudo dnf update
 								$ sudo reboot
 								```
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
-												translated

											
										
										
											2017-07-10 15:04:16 +08:00
+								### Suse Enterprise Linux 或者 Opensuse Linux
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
-												translated

											
										
										
											2017-07-10 15:04:16 +08:00
+								输入下面的 zypper 命令：
-												PRF&PUB:20170620 How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 .md

@geekpi

											
										
										
											2017-07-11 22:37:54 +08:00
 								```
 								$ sudo zypper patch
 								$ sudo reboot
 								```
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
 								### SUSE OpenStack Cloud 6
-												PRF&PUB:20170620 How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 .md

@geekpi

											
										
										
											2017-07-11 22:37:54 +08:00
+								```
 								$ sudo zypper in -t patch SUSE-OpenStack-Cloud-6-2017-996=1
 								$ sudo reboot
 								```
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
 								### SUSE Linux Enterprise Server for SAP 12-SP1
-												PRF&PUB:20170620 How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 .md

@geekpi

											
										
										
											2017-07-11 22:37:54 +08:00
+								```
 								$ sudo zypper in -t patch SUSE-SLE-SAP-12-SP1-2017-996=1
 								$ sudo reboot
 								```
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
 								### SUSE Linux Enterprise Server 12-SP1-LTSS
-												PRF&PUB:20170620 How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 .md

@geekpi

											
										
										
											2017-07-11 22:37:54 +08:00
+								```
 								$ sudo zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-996=1
 								$ sudo reboot
 								```
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
 								### SUSE Linux Enterprise Module for Public Cloud 12
-												PRF&PUB:20170620 How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 .md

@geekpi

											
										
										
											2017-07-11 22:37:54 +08:00
+								```
 								$ sudo zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2017-996=1
 								$ sudo reboot
 								```
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
-												translated

											
										
										
											2017-07-10 15:04:16 +08:00
+								### 验证
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
-												translated

											
										
										
											2017-07-10 15:04:16 +08:00
+								你需要确认你的版本号在 [reboot 命令][19]之后改变了。
-												PRF&PUB:20170620 How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 .md

@geekpi

											
										
										
											2017-07-11 22:37:54 +08:00
 								```
 								$ uname -a
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
+								$ uname -r
-												PRF&PUB:20170620 How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 .md

@geekpi

											
										
										
											2017-07-11 22:37:54 +08:00
+								$ uname -mrs
 								```
-												translated

											
										
										
											2017-07-10 15:04:16 +08:00
+								示例输出：
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
 								```
 								Linux 4.4.0-81-generic x86_64
 								```
-												translated

											
										
										
											2017-07-10 15:04:16 +08:00
+								### 给 OpenBSD 用户的注意事项
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
-												translated

											
										
										
											2017-07-10 15:04:16 +08:00
+								见[此页][20]获取更多信息。
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
-												translated

											
										
										
											2017-07-10 15:04:16 +08:00
+								### 给 Oracle Solaris 的注意事项
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
-												translated

											
										
										
											2017-07-10 15:04:16 +08:00
+								[见此页][20]获取更多信息。
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
-												translated

											
										
										
											2017-07-10 15:04:16 +08:00
+								### 参考
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
-												translated

											
										
										
											2017-07-10 15:04:16 +08:00
+								*   [堆栈冲突][4]
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
 								--------------------------------------------------------------------------------
 								作者简介:
 								Vivek Gite
-												PRF&PUB:20170620 How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 .md

@geekpi

											
										
										
											2017-07-11 22:37:54 +08:00
+								作者是 nixCraft 的创始人，对于 Linux 操作系统/Unix shell脚本有经验丰富的系统管理员和培训师。他曾与全球客户及各行各业，包括 IT、教育、国防和空间研究以及非营利部门合作。在 [Twitter][1]、[Facebook] [2]、[Google +] [3] 上关注他。
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
 								--------------------------------------------------------------------------------
 								via: https://www.cyberciti.biz/faq/howto-patch-linux-kernel-stack-clash-vulnerability-cve-2017-1000364/
-												PRF&PUB:20170620 How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 .md

@geekpi

											
										
										
											2017-07-11 22:37:54 +08:00
+								作者：[Vivek Gite][a]
-												translated

											
										
										
											2017-07-10 15:04:16 +08:00
+								译者：[geekpi](https://github.com/geekpi)
-												PRF&PUB:20170620 How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 .md

@geekpi

											
										
										
											2017-07-11 22:37:54 +08:00
+								校对：[wxy](https://github.com/wxy)
-												20170625-30 选题
											
										
										
											2017-06-25 11:51:44 +08:00
 								本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
 								[a]:https://plus.google.com/+CybercitiBiz
 								[1]:https://twitter.com/nixcraft
 								[2]:https://facebook.com/nixcraft
 								[3]:https://plus.google.com/+CybercitiBiz
 								[4]:https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash
 								[5]:https://www.cyberciti.biz/faq/howto-patch-linux-kernel-stack-clash-vulnerability-cve-2017-1000364/
 								[6]:https://www.cyberciti.biz/faq/category/centos/
 								[7]:https://www.cyberciti.biz/faq/category/debian-ubuntu/
 								[8]:https://www.cyberciti.biz/faq/category/linux/
 								[9]:https://www.cyberciti.biz/faq/category/redhat-and-friends/
 								[10]:https://www.cyberciti.biz/faq/category/security/
 								[11]:https://www.cyberciti.biz/faq/category/suse/
 								[12]:https://www.cyberciti.biz/faq/category/linux/
 								[13]:https://access.redhat.com/security/cve/cve-2017-1000364
 								[14]:https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash
 								[15]:https://www.cyberciti.biz/faq/ubuntu-lts-debian-linux-apt-command-examples/
 								[16]:https://www.cyberciti.biz/tips/linux-debian-package-management-cheat-sheet.html
 								[17]:https://www.cyberciti.biz/faq/linux-reboot-command/
 								[18]:https://www.cyberciti.biz/faq/rhel-centos-fedora-linux-yum-command-howto/
 								[19]:https://www.cyberciti.biz/faq/linux-reboot-command/
 								[20]:https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/008_exec_subr.patch.sig
 								[21]:http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-3629-3757403.html
 								[22]:https://www.cyberciti.biz/media/new/faq/2017/06/the-stack-clash-on-linux-openbsd-netbsd-freebsd-solaris.jpeg