|
|
Subscribe / Log in / New account

Stable kernel 2.6.38.7

[Posted May 22, 2011 by corbet]

The 2.6.38.7 stable kernel update is out with another set of important fixes.
to post comments

Stable kernel 2.6.38.7

Posted May 22, 2011 17:27 UTC (Sun) by arekm (guest, #4846) [Link] (14 responses)

"All users of the 2.6.xx kernel series must upgrade."

This becomes a very bad joke :-/

Stable kernel 2.6.38.7

Posted May 22, 2011 19:04 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link] (3 responses)

By now, everybody and their NSA should operate under assumption that Linux by itself is NOT secure.

It might be fairly secure from remote exploitation, but security from local exploits? Forget it.

Stable kernel 2.6.38.7

Posted May 23, 2011 2:28 UTC (Mon) by dgm (subscriber, #49227) [Link]

Nobody with a hint of what security means would say that Linux is, or has ever been, completely secure. Alan Cox, for example, said so explicitly in 2006: http://www.techrepublic.com/article/linux-expert-warns-of...

Linus himself has said it many times, too (I cannot find the cite right now).

It's not the first time a bug that allows local or remote compromise has been published, and fixed. if anything, Linux' developers can (and do) claim that they are fast to plug holes once they are aware of them, reducing the amount of time most systems are exposed.

So, what's so new and game changing?

Stable kernel 2.6.38.7

Posted May 24, 2011 0:44 UTC (Tue) by jjs (guest, #10315) [Link] (1 responses)

> By now, everybody and their NSA should operate under assumption that Linux by itself is NOT secure.

Of course, neither is any other OS or application in widespread use.

Stable kernel 2.6.38.7

Posted May 25, 2011 11:26 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link]

Not really. There are secure OSes (mostly academic ones).

I'd trust QNX much more than I trust Linux, for example. Then there are academic OSes written in safe languages (Singularity) and with the proven microkernel (seL4 - http://ertos.nicta.com.au/research/l4.verified/).

Ditching C for something more secure goes a long way to make OS more robust.

Stable kernel 2.6.38.7

Posted May 22, 2011 22:30 UTC (Sun) by kragil (guest, #34373) [Link] (8 responses)

The way I see it is.

Stable kernel security codes:
strongly encouraged to upgrade = local exploit
must upgrade = remote exploit

That is an logical eplaination for the different wording.

Stable kernel 2.6.38.7

Posted May 22, 2011 23:06 UTC (Sun) by dlang (guest, #313) [Link] (7 responses)

that is not the case, it's more a matter of a coin flip as to which terminology is used on a particular release.

they are explicitly _not_ trying to make a statement about what and how severe any security vulnerabilities in the release are.

Stable kernel 2.6.38.7

Posted May 23, 2011 9:37 UTC (Mon) by ledow (guest, #11753) [Link] (6 responses)

Does the severity matter? More important is your own personal risk-limit. If you don't want *any* risk, you must upgrade EVERY SINGLE TIME. Everything else is a trade-off, and there's no person in the world who can tell you "how risky" something like that is. You could get every Linux expert banging on a security bug for decades and still not find an exploit that someone could hit in two seconds with a fuzzer of their own, for example.

The whole "how dangerous is it" question isn't one that can be answered and, if the answer actually matters to you, it DOESN'T matter how dangerous it is - you should be upgrading.

It's like saying "How dangerous is it to not have the timing belt on a car be within 0.1% accuracy instead of 0.2%?" Nobody can say without an awful lot of testing and deployment and recording how much more "danger" shows up. And if the answer MATTERS to you, you're the one that's going to need to do that testing and deployment - which you should be doing anyway with EVERY change.

I do hate the people that whinge on about this like its the end of the world when, in fact, to anyone where it matters, it's *THEIR* responsibility to find out - not some random release developer that approved a patch from a maintainer that forwarded a patch from a random programmer that probably wouldn't be able to tell how "safe" it was (unless in comparison to previous code - e.g. probably less or more safe than before).

BTW: Where's PaXTeam - not showed up yet?

Stable kernel 2.6.38.7

Posted May 23, 2011 14:11 UTC (Mon) by proski (subscriber, #104) [Link] (5 responses)

The car analogy brings an interesting insight. Adjusting the timing belt on one car is time consuming. There is a certain risk of something going wrong. You would not trust a random person to do that.

And if a car maker decides to adust timing belts on all cars of a certain model and year, that can cost many millions of dollars.

Even though car safety matters to drivers and car makers, the decision to make repairs is not always obvious. Testing is important so that the impact of the changes can be compared to other factors, such as cost and rsiks of damaging something during the service.

Upgrading kernels may be trivial on a personal laptop of a power user, but it may be expensive and risky on a large server or a critical embedded system. Impact of the bugs is relevant when such upgrades are considered.

Stable kernel 2.6.38.7

Posted May 23, 2011 15:54 UTC (Mon) by NAR (subscriber, #1313) [Link] (3 responses)

I think that the approach used to be "if you can't decide yourself based on the commits, you shouldn't use this kernel but the one from your distributor".

Stable kernel 2.6.38.7

Posted May 23, 2011 16:24 UTC (Mon) by arekm (guest, #4846) [Link] (2 responses)

No idea why so many people think there is some magic "distributor". In many cases there isn't. People are their own distributors/vendors and there is no "upper" one beside authors of the software.

Stable kernel 2.6.38.7

Posted May 23, 2011 17:34 UTC (Mon) by mpr22 (subscriber, #60784) [Link] (1 responses)

No idea why so many people think there is some magic "distributor".

Because this is 2011, not 1993. I would expect that by all reasonable metrics, people who don't use a third-party distribution (be it Ubuntu, RHEL, SUSE, or whatever) are a fairly small minority of the Linux user base.

Stable kernel 2.6.38.7

Posted May 23, 2011 17:44 UTC (Mon) by arekm (guest, #4846) [Link]

Maybe small "user" base but surely bigger "developer" base.

Stable kernel 2.6.38.7

Posted May 23, 2011 17:49 UTC (Mon) by ThinkRob (guest, #64513) [Link]

> Upgrading kernels may be trivial on a personal laptop of a power user, but it may be expensive and risky on a large server or a critical embedded system. Impact of the bugs is relevant when such upgrades are considered.

And thus enterprise Linux was born. :D

I'd be willing to bet that -- outside of some niche use cases -- if you're running a critical server on Linux, you're doing it on an enterprise-oriented distro, and thus the distro maintainers (to whom you likely pay a good chunk of change) help address the risks involved.

Stable kernel 2.6.38.7

Posted May 23, 2011 8:44 UTC (Mon) by Darkmere (subscriber, #53695) [Link]

I believe Greg got fed up with comments about which bugs may or may not be security related and folded into an even/odd version of "should upgrade" "must upgrade" "strongly urged to upgrade".

Security vulnerabilities with CVE's attached are logged as such, but the general maintainer consesus appears to be that data corruption or crashers are at least as good reasons to upgrade as various security issues can be. And the only way to avoid the fecalflinging discussion is to blanket state "upgrade now".


Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds