Re: thoughts on kernel security issuesiig

[Marek Habersack]

On Wed, Jan 12, 2005 at 09:38:07PM -0800, Barry K. Nathan scribbled:
> On Thu, Jan 13, 2005 at 04:53:31AM +0100, Marek Habersack wrote:
> > archived mail message or a webpage with the patch. Hoping he'll find the
> > fixes in the vendor kernels, he goes to download source packages from SuSe,
> > RedHat or Trustix, Debian, Ubuntu, whatever and discovers that it is as easy
> > to find the patch there as it is to fish it out of the vanilla kernel patch
> > for the new version. Frustrating, isn't it? Not to mention that he might
> 
> http://linux.bkbits.net is your friend.
I know about that, but many people don't.
 
> Each patch (including security fixes) in the mainline kernels (2.4 and
> 2.6) appears there as an individual, clickable link with a description
> (e.g. "1.1551  Paul Starzetz: sys_uselib() race vulnerability
> (CAN-2004-1235)").
> 
> If other patches have gone in since then, you may have to scroll through
> a (short-form) changelog. However, it's still less frustrating than the
> scenario you portray.
Less frustrating, yes, safer, not even slightly. You are still left on the
thin ice precisely the moment you are notified about the vulnerability (when
it goes public). Those not being members of vendor-sec still don't have the
privilege to know about the vulnerability ahead of time, before it goes
"officially" public. Besides, I know a few people who administer linux
machines who don't know what bkbits.net is, and they don't have to. There
should be a single place, a webpage which you can visit (or get an rss feed
of) and be sure you will be among the first to know about a vulnerability
(yes, I know about the CIA feeds, but this is still not the real thing,
IMHO).

regards,

marek

Attachment: signature.asc
Description: Digital signature