1 |
Hi everyone, |
2 |
|
3 |
From what I know, the GLSA announcing the Feb 18 do_mremap kernel |
4 |
vulnerability is still not out, though most (if not all) of the packages |
5 |
implementing the correction are available in portage. I think we've a |
6 |
problem here which should be addressed. |
7 |
|
8 |
I've heard it was delayed so that it can include several more |
9 |
corrections. I think it's a mistake, this vulnerability is important |
10 |
enough so that a delay of more than 12 days is not acceptable... I |
11 |
obviously missed something here, maybe there is another reason I don't |
12 |
know of, is it is so please tell me ;) |
13 |
|
14 |
It's not the first time that a kernel-related GLSA has a significant lag |
15 |
between discovery and release. There are two different directions in |
16 |
solving this problem : |
17 |
|
18 |
1/ we acknowledge that a specific GLSA should have been released on this |
19 |
specific problem ASAP, and take steps to avoid the problem next time |
20 |
|
21 |
2/ we keep the "the less GLSA the better" approach which leads to big |
22 |
lags in all kernel, then we need a different alert mecanism so that |
23 |
people can be warned of the problem |
24 |
|
25 |
In situation (1) there should be a maximum acceptable delay in the GLSA |
26 |
policy, so that a GLSA can wait some time for validation and |
27 |
consolidation, but not too much. In situation (2) we need another |
28 |
communication medium (security alerts as opposed to security advisories) |
29 |
to warn people in advance. Advisories can still be delayed so that they |
30 |
include "the definitive fix(TM)", but cumulative warnings can be sent |
31 |
out the moment the vulnerability is discovered and the minute corrective |
32 |
vanilla-sources packages are available in portage. |
33 |
|
34 |
If the policy is already there but there wasn't enough manpower to |
35 |
enforce it, then maybe the gentoo-security herd should recruit ;) |
36 |
|
37 |
I would like your input on the subject. Sorry for those who already read |
38 |
some of this rant on gentoo-dev, that was off-topic there, and thanks to |
39 |
Mike for pointing me to the right place (although I didn't really find a |
40 |
recent thread to shamelessly plug into) :) |
41 |
|
42 |
PS : glsa-test shows a 200402-09 GLSA dated Feb 18 on the subject, but |
43 |
apparently it didn't make it upstream. |
44 |
|
45 |
- Koon |
46 |
|
47 |
|
48 |
-- |
49 |
gentoo-security@g.o mailing list |