LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Letters page

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

CVE-2006-2451 update

[Posted July 18, 2006 by ris]

From:  "Michael K. Johnson" <johnsonm-AT-rpath.com>
To:  lwn-AT-lwn.net
Subject:  CVE-2006-2451 update
Date:  Thu, 13 Jul 2006 16:46:14 -0400
Cc:  jmforbes-AT-rpath.com

In regards to http://lwn.net/Articles/190385/, we are providing an
updated advisory which radically revises the description of the
vulnerabilities and upgrades the rating.
 
I am concerned (and I with others have raised this concern on
vendor-sec) that there has been a tendency in advisories to label
almost any bug as a potential privilege escalation, and I fear that
doing so whenever no one is confident that the bug cannot lead to
a privilege escalation will lead to lack of attention paid to the
cases where there is a known privilege escalation vulnerablity,
due to alert fatigue.
 
Our approach is intentionally not to artificially inflate advisory
ratings, and to release updated advisories whenever appropriate.
It is always possible that in the human process of evaluating
severity, we will mis-judge any particular vulnerability. When we
do so, our policy is to release advisory updates, as we would for
any other significant mistake in an advisory. (This will be our
sixth advisory update for any reason, out of 126 released advisories
for rPath Linux 1.) The change in status itself should help avoid
the alert fatigue problem for users of rPath Linux.
 
Least importantly, your complaint about nominal version numbers
really doesn't apply to our advisory. It is specifically about
previous versions of the kernel package we provide, not previous
versions of the kernel. That distinction is both key to Conary
technology (we do not use version number ranking within Conary) and
also the reason that we consistently use wording such as "previous
versions of ... package" in our advisories. Our advisories are
not meant to cover software outside our repositories; the generic
descriptions of vulnerabilities is properly done within the CVE
system, not in vendor-specific advisories.
 
Thank you for recognizing that we did at least publish the
original advisory and update in a timely manner, and for your
continued intelligent and insightful coverage of Linux generally.

(Log in to post comments)

CVE-2006-2451 update

Posted Jul 26, 2006 20:00 UTC (Wed) by pimlott (guest, #1535) [Link]

I have a naive question: Do you have any evidence that your ratings correspond to the actual harm experienced by users who fail to patch? Or more specifically, do you have evidence that "known privilege escalation" vulnerabilities are significantly more harmful than "potential privilege escalation" vulnerabilities? Recall that there may be a "self-denying prophesy" effect going on: If I were an attacker, I would focus on exploiting "potential privilege escalation" vulnerabilities, because I know fewer people will patch.

In short, I'm suspicious of your argument. We have to face the fact that our security is bad--really bad--and accept the unpleasant reality that a steady stream of patches is part of the deal. "Alert fatique", I'm convinced, is something we must combat by making updating easier and more reliable, not by making fairly ignorant guesses about which vulnerabilities are severe.

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds