User: Password:
|
|
Subscribe / Log in / New account

Distribution security response times

Distribution security response times

Posted Sep 23, 2010 18:03 UTC (Thu) by kees (subscriber, #27264)
Parent article: Distribution security response times

I think it's a bit of an over-sight that the article doesn't consider Ubuntu as an "Enterprise" distribution. It's used just like other distros with "Enterprise" in their name, especially the Ubuntu Long Term Support releases.

I'm pretty surprised that the other distros besides Ubuntu and Debian took at least 4 extra days to get these critical fixes published. But more than that, I'm terribly disappointed in the upstream handling of these problems. While blackhats following kernel development closely might be finding vulnerabilities, enabling any script-kiddie in the world to gain local root privileges is seriously irresponsible. These weren't unclear fixes; upstream knew these were critical issues, and they didn't bother to create a coordinated release with the distros, leaving Linux users vulnerable to the response times of their selected distro kernel teams.

If upstream had bothered to even suggest a 1 week embargo, every single distribution would have had updates ready, leaving the window of vulnerability to script kiddies closed. I think it's negligent that they don't even follow their own documented policies on disclosure. Since the issues were not public, they should have gone with a week:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-...


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds