|
|
Subscribe / Log in / New account

A pile of stable kernel releases

[Posted April 27, 2022 by corbet]

The 5.17.5, 5.15.36, 5.10.113, 5.4.191, 4.19.240, 4.14.277, and 4.9.312 stable kernels have all been released, one day earlier than had originally been expected. As usual, each contains another set of important fixes.
to post comments

A pile of stable kernel releases

Posted Apr 27, 2022 15:49 UTC (Wed) by calumapplepie (guest, #143655) [Link] (3 responses)

I'm getting "exploit in the wild" vibes from this... that or Greg forgot what day of the week it is, which I do on a regular basis

A pile of stable kernel releases

Posted Apr 27, 2022 20:55 UTC (Wed) by atnot (guest, #124910) [Link] (2 responses)

That is a great demonstration why the Linux policy of not explicitly marking important security fixes is pointless to counterproductive. Defenders don't know whether they need to stand by to patch, while it is absolutely trivial for attackers to notice an irregular release date, do a search through the list of commit authors and find the ones that are from a security researcher.

Through the power of lore.kernel.org, you can even just skip a step and query for patches mentioning say, notable developers from Google Project Zero to receive advanced notification. E.g.: https://lore.kernel.org/all/?q=Jann+Horn+s%3A%5BPATCH%5D+...

A pile of stable kernel releases

Posted May 2, 2022 6:43 UTC (Mon) by calumapplepie (guest, #143655) [Link] (1 responses)

OTOH, Greg holds the position that every kernel bug is a security bug, and that every stable release fixes kernel (and by extension security) bugs

A pile of stable kernel releases

Posted May 2, 2022 8:48 UTC (Mon) by atnot (guest, #124910) [Link]

I'm somewhat sympathetic to this idea, as not labeling things as security issues can give people a false sense of security. But combined with the cryptic commit messages even fixes for actively exploited vulnerabilities get, it also makes it pretty hard for defenders to track the severity and prevalence of certain bugs and fixes.

"If everything is important, then nothing is", as they say


Copyright © 2022, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds