Re: thoughts on kernel security issues

[Greg KH]

On Wed, Jan 12, 2005 at 06:28:38PM -0800, Andrew Morton wrote:
> 
> IMO, local DoS holes are important mainly because buggy userspace
> applications allow remote users to get in and exploit them, and for that
> reason we of course need to fix them up.  Even though such an attacker
> could cripple the machine without exploiting such a hole.
> 
> For the above reasons I see no need to delay publication of local DoS holes
> at all.  The only thing for which we need to provide special processing is
> privilege escalation bugs.
> 
> Or am I missing something?

So, a "classification" of the severity of the bug would cause different
type of disclosures?  That's a good idea in theory, but trying to nail
down specific for bug classifications tends to be difficult.

Although I think both Red Hat and SuSE have a classification system in
place already that might help out here.

Anyway, if so, I like it.  I think that would be a good thing to have,
if for no other reason that I don't want to see security announcements
for every single driver bug that's patched that had caused a user
created oops.

thanks,

greg k-h
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/