Date: Wed, 28 Jun 2017 08:58:26 +0200 From: Dominique Martinet <asmadeus@...ewreck.org> To: oss-security@...ts.openwall.com Subject: Re: CoreOS membership to linux-distros Sven Dowideit wrote on Wed, Jun 28, 2017: > I'm responsible for RancherOS, and think that both I, and my users > would prefer that I had access to the embargoed information earlier, > so preparing a response would have been less of a rush. I can relate to the rush feeling, even with few users/"private" distro here, having a custom kernel makes this kind of fixes annoying... But given the delayed exploit release I'd say it does not really matter if you take a few days for this, especially in this case with the low success rate on 64bit linux. As soon as reasonably possible does not necessarily mean rush. As a rhel/centos spin-off though we would have liked the bug brought up here ( https://bugzilla.redhat.com/show_bug.cgi?id=1463241 ) to have its fix published faster though, it's apparently been ready for a week but not been published... I don't mind bugs, but if it's fixed it's annoying to keep it behind closed doors. > One of the things that would have made my last week less worrying, is > to have some access to exploit code - so as to verify the changes > actually had a useful effect. You don't need an actual exploit to test this. You're not the first person who have told me this so I actually took some time this morning to whip up a "tester" -- it's probably far from perfect but will run successfully on older debian/rhel and crash with a patched kernel as expected, and is as inoffensive as it can get. I'm sure there are other better testers online, I didn't try looking as I don't get much chance to play with this kind of stuff :) Qualys gave a lot of details in their report (kudos to well written advisories like that!), I agree having everything on a golden plate is better but it really isn't much work left for smaller distros if you trust the big ones or even just upstream, once bugs got steamed out. -- Asmadeus | Dominique Martinet View attachment "teststackclash.c" of type "text/x-csrc" (1551 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ