Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Kerio Connect refuses to start after important kernel update (Kerio Connect is the only software that refuses to start after important kernel update)
  •  
lgsit

Messages: 32
Karma: 0
Send a private message to this user
Hello,

we're using CentOS 7.3 (x64) and had to update its kernel from 3.10.0-514.21.1 to 3.10.0-514.21.2 to fix a critical security issue ("Stack Guard security vulnerability").

After rebooting the system I noticed that Kerio Connect is not running. After manually starting it via command line, I got an error that it could not be started and found the following lines inside the syslog file:

Jun 22 08:38:16 hostname systemd: Starting Kerio Connect...
Jun 22 08:38:16 hostname systemd: Failed at step EXEC spawning /opt/kerio/mailserver/mailserver: Argument list too long
Jun 22 08:38:16 hostname systemd: kerio-connect.service: control process exited, code=exited status=203
Jun 22 08:38:16 hostname systemd: Failed to start Kerio Connect.
Jun 22 08:38:16 hostname systemd: Unit kerio-connect.service entered failed state.
Jun 22 08:38:16 hostname systemd: kerio-connect.service failed


After the kernel update all programs on all of our servers still run without any problems, except for Kerio Connect.

I verified that the kernel update is the only cause of this issue. As soon as I install the old kernel (which I want to avoid because of the security issues, of course), Kerio Connect starts and works.

All other updates e. g. for glibc (also contains security fix) do not affect Kerio Connect in any way.

Does anybody have the same situation?

Thanks in advance!

[Updated on: Thu, 22 June 2017 09:22]

  •  
areichmann

Messages: 96
Karma: 6
Send a private message to this user
It's better to open a ticket ... this forum is not active monitored by GFI.

https://www.gfi.com/support/technical-support-form

And please give us a status update Wink
  •  
dbastas

Messages: 1
Karma: 0
Send a private message to this user
Same thing happen to me.
Any update?
  •  
lgsit

Messages: 32
Karma: 0
Send a private message to this user
Quote:
Any update?
Not yet.

Quote:
It's better to open a ticket
Okay, I will do so.

Edit: Ticket has been opened. Waiting for GFI to answer.

Quote:
please give us a status update
Yes, of course! As soon as I get some information, I will post it here. Smile

[Updated on: Thu, 22 June 2017 16:03]

  •  
rhunter

Messages: 79
Karma: 0
Send a private message to this user
Has you ticket gotten a response?
  •  
lgsit

Messages: 32
Karma: 0
Send a private message to this user
Quote:
Has you ticket gotten a response?
Unfortunately, not (yet).

As soon as I have an answer or solution I will post it here.
  •  
lgsit

Messages: 32
Karma: 0
Send a private message to this user
Some news here.

GFI finally responded. They told me, I should run the mailserver via
/opt/kerio/mailserver/mailserver
and when I do so I get the following message:
Kerio Connect failed to start: Library libkticonv.so.2 could not be loaded
However, this library does not exist in all repos I have installed on the system (CentOS standard repos, epel, elrepo).

Furthermore, GFI has some additional questions I need to answer.

As soon as I have some more information, I will post them here.

[Updated on: Tue, 27 June 2017 14:19]

  •  
areichmann

Messages: 96
Karma: 6
Send a private message to this user
maybe GFI should install their own CentOS 7.3 (x64) with Connect instead of doing outsourced testing with <_at_>igsit ... the problem (for me) seems to be easy to reproduce with every CentOS 7.3 (x64)

[Updated on: Tue, 27 June 2017 08:34]

  •  
lgsit

Messages: 32
Karma: 0
Send a private message to this user
Quote:
maybe GFI should install their own CentOS 7.3 (x64) with Connect instead
Definitely. Maybe they will, but I guess they won't.

Quote:
seems to be easy to reproduce with every CentOS 7.3 (x64)
Same with RHEL 7.3 (x64). Tried it and had exactly the same behavior.

[Updated on: Tue, 27 June 2017 14:17]

  •  
vlada

Messages: 34
Karma: -2
Send a private message to this user
Maybe that is not problem of Kerio but new kernel.

This is description of the latest update openSUSE kernel:
Patch: openSUSE-2017-734 Kind: security Version: 1
|..The openSUSE Leap 42.2 kernel was updated to 4.4.73 to receive security and bugfixes.
|..The following security bugs were fixed:
|..- CVE-2017-1000364: An issue was discovered in the size of the stack guard
|.....page on Linux, specifically a 4k stack guard page is not sufficiently
|.....large and can be "jumped" over (the stack guard page is bypassed), this
|.....affects Linux Kernel versions 4.11.5 and earlier (the stackguard page
|.....was introduced in 2010) (bnc#1039348).
|.....The previous fix caused some Java applications to crash and has been
|.....replaced by the upstream fix.



It is possible, that your fixed kernel needs another fix too ...
  •  
lgsit

Messages: 32
Karma: 0
Send a private message to this user
Quote:
Maybe that is not problem of Kerio but new kernel
Seems like.

I also contacted the Red Hat support a few days ago about the issue and got the following response today:

Quote:
A bug has been opened for this issue so we expect a fix in the near future.

You can follow the progress of the bug here if you like: https://bugzilla.redhat.com/show_bug.cgi?id=1463241
Unfortunately there is no workaround in kernel.

Your application vendor may be able to provide you a workaround.
This is the current situation.

Edit 1: Even though the Red Hat support provided a link to the bug, I will post relevant answers if there are any.
Edit 2: Ticket on the part of Red Hat has been closed, due to the provided link.

[Updated on: Wed, 28 June 2017 11:07]

  •  
3ndpr0

Messages: 2
Karma: 0
Send a private message to this user
Hi, same situation here.. I'v opened a ticket to GFI..
  •  
paulf123

Messages: 3
Karma: 0
Send a private message to this user
Everyone's waiting. Brutal and support is now brutal from GFI.
  •  
lgsit

Messages: 32
Karma: 0
Send a private message to this user
Quote:
Red Hat support provided a link to the bug
Red Hat has released a new kernel (3.10.0-514.26.1) which seems to fix the issue (just tested it on RHEL 7 as well as CentOS 7).

Quote:
Everyone's waiting
Same here (also opened one before). However, I guess after the issue has been fixed you can dispose the GFI tickets.

3ndpr0

Messages: 2
Karma: 0
Send a private message to this user
with the last kernel all works fine!
Previous Topic: De-duplication
Next Topic: Username enumeration via RCPT command allowed
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Nov 20 16:19:26 CET 2017

Total time taken to generate the page: 0.00561 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.