Re: thoughts on kernel security issues

[Chris Wright]

* Andrew Morton (akpm@xxxxxxxx) wrote:
> AFAIUI, the vendor requirement is that they have time to have an upgraded
> kernel package on their servers when the bug becomes public knowledge.

Yup.

> If correct and reasonable, then what is the best way in which we can
> support them in this while promptly upgrading the kernel.org kernel?

Most projects inform vendors with enough heads-up time to let them get
their stuff together and out the door.

> IMO, local DoS holes are important mainly because buggy userspace
> applications allow remote users to get in and exploit them, and for that
> reason we of course need to fix them up.  Even though such an attacker
> could cripple the machine without exploiting such a hole.
> 
> For the above reasons I see no need to delay publication of local DoS holes
> at all.  The only thing for which we need to provide special processing is
> privilege escalation bugs.
> 
> Or am I missing something?

No, that's pretty similar to CVE allocation.  At one time, there was
little effort even put into allocating CVE entries for local DoS holes.
It's not that they aren't important, but less critical than remote DoS
issues, and way less so than anything priv escalation related.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/