LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

LWN.net Weekly Edition for January 26, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Stable kernel updates

Stable kernel updates

Posted Aug 13, 2010 23:24 UTC (Fri) by spender (subscriber, #23067)
Parent article: Stable kernel updates

There's also http://grsecurity.net/~spender/64bit_dos.c
see: 52423b90e1f5b1bdbbcc6e32f4d37ada29b790c4

CVE to vulnerability ratio is currently 0.

How can anyone seriously trust the vendor kernels when upstream won't be honest about the changes they're committing? If you're not using the latest kernel.org kernel, you're only getting a fraction of the vulnerability fixes that should be backported.

-Brad

(Log in to post comments)

Stable kernel updates

Posted Aug 14, 2010 15:47 UTC (Sat) by mikachu (guest, #5333) [Link]

And why was it reported to ted privately instead of lkml and/or security@kernel.org? (According to the .c file comments). Why don't the comments link to the commit in grsec that fixes it, or indeed any pointer at all that would be helpful instead of just trolling?

Stable kernel updates

Posted Aug 14, 2010 18:39 UTC (Sat) by spender (subscriber, #23067) [Link]

You wanted a helpful commit message? You must be one of those fringe security leaches [sic] that just can't understand that a bug is a bug and that the fix is the disclosure! Look through our 1.5MB patch -- it's all you need.
If it's not good enough you can pay for Enterprise Linux (tm) support where we'll pay someone to assume my responsibility.

The community reached consensus over a year ago that this is perfectly acceptable, why do you have a problem with it?

-Brad

Stable kernel updates

Posted Aug 14, 2010 19:44 UTC (Sat) by nix (subscriber, #2304) [Link]

Because you were the one making a huge song and dance about it being unacceptable to act that way, so if anyone could be expected to act differently, it would be you?

(Of course, maybe it's simply unacceptable except *if* it's you. I don't believe you changed your mind, because you still make such a bloody noise in the LWN comments to virtually every stable kernel release, in an apparent effort to eliminate all collegiality whatsoever from the commenting here and make it all viciously adversarial. Thanks heaps.)

Stable kernel updates

Posted Aug 19, 2010 21:28 UTC (Thu) by chad.netzer (✭ supporter ✭, #4257) [Link]

"If you're not using the latest kernel.org kernel, you're only getting a fraction of the vulnerability fixes that should be backported."

It would be nice to have this statement either validated, or refuted. Which vendors are vulnerable because they have not backported a vulnerability fix, because it isn't disclosed as such in the commit log? It must be many if only "a fraction" of such commits are backported.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds