Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20260520160921.GA2689@localhost.localdomain>
Date: Wed, 20 May 2026 16:09:39 +0000
From: Qualys Security Advisory <qsa@...lys.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: Multiple vulnerabilities in AppArmor

Hi all,

Some food for thought. After reading Solar Designer's post ("I do feel
there can still be cases where a carefully timed notification to
linux-distros would work well"):

  https://www.openwall.com/lists/oss-security/2026/05/01/2

we decided to reconsider our previous decision ("we will coordinate the
disclosure of kernel vulnerabilities with the Linux kernel security team
only"):

  https://www.openwall.com/lists/oss-security/2026/03/12/6

So, for CVE-2026-46333 (a logic bug in __ptrace_may_access()):

  https://www.openwall.com/lists/oss-security/2026/05/15/2
  https://www.openwall.com/lists/oss-security/2026/05/20/15

we tried the following:

> Timeline
> 2026-05-11: Advisory and proof of concept sent to the security@...nel.
> 2026-05-14: Patch committed publicly (31e62c2) by Linus Torvalds.
> 2026-05-14: Heads-up sent to the private linux-distros@...nwall.
> 2026-05-15: Heads-up sent to the public oss-security@...nwall.
> 2026-05-20: Advisory published.

This worked reasonably well: by the time we published our full advisory
(including the LPEs to root), most distributions had already updated
their kernel packages.

Thank you very much to everyone involved in this release! With best
regards,

-- 
the Qualys Security Advisory team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.