| 1 |
Hi everyone, |
| 2 |
|
| 3 |
From what I know, the GLSA announcing the Feb 18 do_mremap kernel |
| 4 |
vulnerability is still not out, though most (if not all) of the packages |
| 5 |
implementing the correction are available in portage. I think we've a |
| 6 |
problem here which should be addressed. |
| 7 |
|
| 8 |
I've heard it was delayed so that it can include several more |
| 9 |
corrections. I think it's a mistake, this vulnerability is important |
| 10 |
enough so that a delay of more than 12 days is not acceptable... I |
| 11 |
obviously missed something here, maybe there is another reason I don't |
| 12 |
know of, is it is so please tell me ;) |
| 13 |
|
| 14 |
It's not the first time that a kernel-related GLSA has a significant lag |
| 15 |
between discovery and release. There are two different directions in |
| 16 |
solving this problem : |
| 17 |
|
| 18 |
1/ we acknowledge that a specific GLSA should have been released on this |
| 19 |
specific problem ASAP, and take steps to avoid the problem next time |
| 20 |
|
| 21 |
2/ we keep the "the less GLSA the better" approach which leads to big |
| 22 |
lags in all kernel, then we need a different alert mecanism so that |
| 23 |
people can be warned of the problem |
| 24 |
|
| 25 |
In situation (1) there should be a maximum acceptable delay in the GLSA |
| 26 |
policy, so that a GLSA can wait some time for validation and |
| 27 |
consolidation, but not too much. In situation (2) we need another |
| 28 |
communication medium (security alerts as opposed to security advisories) |
| 29 |
to warn people in advance. Advisories can still be delayed so that they |
| 30 |
include "the definitive fix(TM)", but cumulative warnings can be sent |
| 31 |
out the moment the vulnerability is discovered and the minute corrective |
| 32 |
vanilla-sources packages are available in portage. |
| 33 |
|
| 34 |
If the policy is already there but there wasn't enough manpower to |
| 35 |
enforce it, then maybe the gentoo-security herd should recruit ;) |
| 36 |
|
| 37 |
I would like your input on the subject. Sorry for those who already read |
| 38 |
some of this rant on gentoo-dev, that was off-topic there, and thanks to |
| 39 |
Mike for pointing me to the right place (although I didn't really find a |
| 40 |
recent thread to shamelessly plug into) :) |
| 41 |
|
| 42 |
PS : glsa-test shows a 200402-09 GLSA dated Feb 18 on the subject, but |
| 43 |
apparently it didn't make it upstream. |
| 44 |
|
| 45 |
- Koon |
| 46 |
|
| 47 |
|
| 48 |
-- |
| 49 |
gentoo-security@g.o mailing list |
Archives