|| ||"Michael K. Johnson" <johnsonm-AT-rpath.com>|
|| ||CVE-2006-2451 update|
|| ||Thu, 13 Jul 2006 16:46:14 -0400|
In regards to http://lwn.net/Articles/190385/, we are providing an
updated advisory which radically revises the description of the
vulnerabilities and upgrades the rating.
I am concerned (and I with others have raised this concern on
vendor-sec) that there has been a tendency in advisories to label
almost any bug as a potential privilege escalation, and I fear that
doing so whenever no one is confident that the bug cannot lead to
a privilege escalation will lead to lack of attention paid to the
cases where there is a known privilege escalation vulnerablity,
due to alert fatigue.
Our approach is intentionally not to artificially inflate advisory
ratings, and to release updated advisories whenever appropriate.
It is always possible that in the human process of evaluating
severity, we will mis-judge any particular vulnerability. When we
do so, our policy is to release advisory updates, as we would for
any other significant mistake in an advisory. (This will be our
sixth advisory update for any reason, out of 126 released advisories
for rPath Linux 1.) The change in status itself should help avoid
the alert fatigue problem for users of rPath Linux.
Least importantly, your complaint about nominal version numbers
really doesn't apply to our advisory. It is specifically about
previous versions of the kernel package we provide, not previous
versions of the kernel. That distinction is both key to Conary
technology (we do not use version number ranking within Conary) and
also the reason that we consistently use wording such as "previous
versions of ... package" in our advisories. Our advisories are
not meant to cover software outside our repositories; the generic
descriptions of vulnerabilities is properly done within the CVE
system, not in vendor-specific advisories.
Thank you for recognizing that we did at least publish the
original advisory and update in a timely manner, and for your
continued intelligent and insightful coverage of Linux generally.
to post comments)