LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Drawback of stable kernel development

Drawback of stable kernel development

Posted Dec 1, 2003 21:41 UTC (Mon) by Felix.Braun (subscriber, #3032)
Parent article: A Debian kernel security update

This is appears to be the drawback of Marcelo's very stable way of maintaining the 2.4 kernel. If a fix does not make it into one release, the official kernel sources will be vulnerable for a couple of months. Of course, in theory nobody should have to run a vanilla kernel. Yet, in practice this seems to be quite common.

(Log in to post comments)

Drawback of stable kernel development

Posted Dec 1, 2003 22:17 UTC (Mon) by stuart (subscriber, #623) [Link]

Given that non-vanilla (distributor) kernels are quite likely to be vulnerable to this problem, it makes little difference in this example.

Stu.

Drawback of stable kernel development

Posted Dec 1, 2003 22:18 UTC (Mon) by miekg (subscriber, #4403) [Link]

Well, the did use pre-releases for .22. So they could just as easily have upgraded to the latest .23 pre-release when it came available.

I'm also glad it turned out to be a known exploit.

Drawback of stable kernel development

Posted Dec 1, 2003 22:24 UTC (Mon) by southey (subscriber, #9466) [Link]

Actually I am glad that it was not a remote exploit - known or unknown!

sysadmin's mistake

Posted Dec 1, 2003 23:13 UTC (Mon) by xose (guest, #535) [Link]

Sorry guy. But it's not a Marcelo's mistake.

Kernel hackers recomends to stay with latest distribution kernels.

ac's words

Otherwise you will have to check linux-kernelevery day to know if a 'stable' kernel has some critical bug.

thread 1

thread 2

thread 3

sysadmin's mistake

Posted Dec 1, 2003 23:38 UTC (Mon) by huaz (guest, #10168) [Link]

Sorry but it's just an excuse. What's maintainer's job, if not applying seruciry fixes as soon as possible?

It's the job of whoever releases a kernel, Marcelo being the most important one.

sysadmin's mistake

Posted Dec 2, 2003 20:07 UTC (Tue) by xose (guest, #535) [Link]

You are free to download in realtime latest patches applied to the kernel:

http://kernel.org/pub/linux/kernel/v2.4/testing/cset/

Release managers' mistake

Posted Dec 1, 2003 23:47 UTC (Mon) by bgilbert (subscriber, #4738) [Link]

You're confusing reality with good practice. It's true that if you want to know about security problems in the current stable kernel, you have to read lkml. The reason is that none of the kernel release managers seem to care about security*. Through the 2.2 series, security issues tended to prompt new kernel releases in fairly short order; this theory of "if you care about security, read lkml or run a kernel released by someone who gives a damn" is recent and wrong. Vanilla kernels are kernels in their own right; they're not just a bunch of code which is provided to vendors solely as a starting point for a real system. More than that, they're the only kernels backed by Linus and company; no one cares about vendor kernels except for one vendor and its user base. And so, the end result of the security apathy of Alan and the others is that the most recent official release of Linux 2.4 contained a local root exploit for three months. Does anyone really believe this to be acceptable?

* The most prominent recent example: Alan's fix to the ptrace bug broke a number of other things, but once the code was written no one was particularly interested in fixing it.

Release managers' mistake

Posted Dec 2, 2003 7:27 UTC (Tue) by Ross (subscriber, #4065) [Link]

I certainly agree with you and I had similar feelings with delayed security
(and ext3 corruption) fixes for other 2.4 releases and missing security
patches in 2.6 which are present in 2.4.

Release managers' mistake

Posted Dec 2, 2003 9:44 UTC (Tue) by wichert (subscriber, #7115) [Link]

Kernel release managers definitely care about security and kernel security are always discussed by vendors and the relevant kernel folks. In this case the fix had been known for a while, but nobody realised just how dangerous this bug was. With a project as complicated and filled with subtleties that is not all that unexpected.

Your example of Alan's fix for the ptrace bug actually is a fine counterexample of your suggestion that kernel maintainers do not care about security: it was quickly fixed even though the fix broke a few things. Alan fixed the ptrace hole quickly to fix the security problem and relied on others to fix the fallout while he could focus on more pressing issues.

Release managers' mistake

Posted Dec 2, 2003 12:41 UTC (Tue) by hppnq (guest, #14462) [Link]

Plus, IIRC Alan was very much involved with 2.2, which sort of makes the whole statement moot. ;-)

And of course it is the responsibility of sysadmins to apply patches or fix problems if necessary. Waiting for the next release is just not good enough, sometimes.

sysadmin's mistake

Posted Dec 2, 2003 9:47 UTC (Tue) by cbcbcb (guest, #10350) [Link]


Except that several distributions didn't know about this bug (Trustix and Mandrake have only just patched this since debian released this info). I read lkml every day, and I don't remember seeing this bug either. I hope that Andrew Morton does a better job of publishing security fixes for 2.6

sysadmin's mistake

Posted Dec 2, 2003 15:07 UTC (Tue) by cate (subscriber, #1359) [Link]

(Trustix and Mandrake have only just patched this since debian released this info)

Security issue aren't handled so. Surely Debian has advised few day ago other distribution about the vulnerability. Debian attack was made between november 20 and 21. CVE set the vulnerability number on november 26 (by RedHat). According RedHat bugs, the bug it is disclosed only today (December the first), but already know and corrected. Surelly most of the distribution have patched and corrected the kernel before the official debian annonce. Maybe they are late in annoncing it, or LWN have not yet updated the security annonces. For sure, before a security annonce is made, few people of major distributions know about the problem and prepare the patches.

I read lkml every day, and I don't remember seeing this bug either.

AFAIK nobody knew about root exploit before the attack to debian machines (but naturally some crakers). The error in kernel seemed inofensive.

sysadmin's mistake

Posted Dec 2, 2003 17:07 UTC (Tue) by cbcbcb (guest, #10350) [Link]

> Surelly most of the distribution have patched and corrected the
> kernel before the official debian annonce.

Not all of them. That was the point of my post. Look at the date in: http://lwn.net/Articles/60813/

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds