Google luky.org euqset.org
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: thoughts on kernel security issues

On Thu, 13 Jan 2005, Dave Jones wrote:

> On Thu, Jan 13, 2005 at 10:48:14PM +0100, Marek Habersack wrote:
>  
>  > > If admins don't install updates in a timely manner, there's
>  > > not a lot we can do about it.  For those that _do_ however,
>  > > we can make their lives a lot more stress free.
>  > Indeed, but what does have it to do with a closed disclosure list? 
> 
> For the N'th time, it gives vendors a chance to have packages
> ready at the time of disclosure.
> 
>  > With open
>  > disclosure list you provide a set of fixes right away, the admins take them
>  > and apply. With closed list you do the same, but with a delay (which gives
>  > an opportunity for a "race condition" with the bad guys, one could argue).
>  > So, what's the advantage of the delayed disclosure?
> 
> Not having to panic and rush out releases on day of disclosure.
> Not having users vulnerable whilst packages build/get QA/get pushed to mirrors.
> 
The users are still vulnerable during the time you are preparing your 
kernel packages.
Personally I'd very much prefer to know of the bug even before a fix is 
ready since that would allow me to protect my systems in alternative ways 
until the fixes are ready.   Depending on the nature of the bug I 
could perhaps tweak firewall rulesets temporarily, temporarily disable 
certain services, perhaps I could mount a few filesystems read-only for a 
few days, maybe rebuild my current vulnerable kernel with an option 
disabled as a workaround and live with less functionality until the fix is 
ready, maybe even take vulnerable systems offline until a fix is ready. 
Having the info that the bug exists and can be targeted in this or 
that way gives me a chance to respond and protect my systems while a 
proper fix is being developed.  I can't do that if I'm in the dark until 
vendors feel comfortable and ready to release packaged bug free kernels - 
and all the time I'm waiting some black hat idiot may have found the same 
bug and cracked my system.


-- 
Jesper Juhl

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
$B$3$N>pJs$,$"$J$?$NC5$7$F$$?$b$N$+$I$&$+A*Br$7$F$/$@$5$!#(B
yes/$B$^$5$K$3$l$@!*(B   no/$B0c$&$J$!(B   part/$B0lIt8+$D$+$C$?(B   try/$B$3$l$G;n$7$F$_$k(B
$B$"$J$?$,C5$7$F$$?>pJs$O$I$N$h$&$J$3$H$+!"$4<+M3$K5-F~2<$5$!#FC$K!V$^$5$K$3$l$@!*!W$H8@$&>l9g$O5-F~$r$*4j$$7$^$9!#(B
$BNc(B:$B!VJ#?t$N%^%7%s$+$i(BCATV$B7PM3$G(Bipmasquerade$B$rMxMQ$7$F(BWeb$B$r;2>H$7$?$>l9g$N@_Dj$K$D$$F!W(B
Follow-Ups: References: