Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reporting Kernel Security Issues

Posted by timothy on from the top-men-are-working-on-it dept.

Omniscientist writes "A recent post on KernelTrap details the lkml post by Chris Wright talking about a centralized place to report security issues pertaining to the Linux Kernel and the discussion that was generated by it, including Chris's followup. It would appear that they now have created a security team to privately handle the bugs, who act as the alternative to reporting the flaw to the public immediately."

4 of 75 comments (clear)

  1. Working on my own DS_Linux by Dancin_Santa · · Score: 5, Informative

    On occasion I like to call it Santix, but I don't want to step on anyone's toes, so I just prepend my initials in front of "Linux" (RMS be damned).

    The main thing that I try to focus on is security, and being on the LCML security mailing list has greatly improved my ability to find and squash security issues. You wouldn't believe how many security issues Linux has, actually. Luckily, most of the easy things like buffer exploits are already taken care of. The remaining issues are primarily involved in the timing issues of thread and process context switching. Exploiting the system vulnerability when it is grabbing and releasing resources. That kind of thing.

    Whether or not the security list is part of the main LCML list is not really a primary concern. I'd rather have those guys working on features and we on the Security side can get those features secure. If we spent all our time thinking about how to make the system secure, we'd still be stuck with an age-old kernel like OpenBSD!

    Keep those bug reports coming!

  2. Re:Good idea? by Anonymous Coward · · Score: 5, Insightful

    Did you actually read the fine thread? All Chris is doing is creating a single point of contact for security related bugs. The current situation is that bugs are reported randomly to lkml, distros or whereever so some may fall through the net.

    A single point of contact is a good thing in my book.

  3. Single point of contact a good thing by Anonymous Coward · · Score: 5, Informative

    "It would appear that they now have created a security team to privately handle the bugs, who act as the alternative to reporting the flaw to the public immediately."

    Err.. no - what they have done is create a single point of contact for security related bugs instead of the mish mash we have at the moment. That POC will work with the reporter to publish the bug.

  4. make stable kernel bugs private? by essreenim · · Score: 5, Interesting
    What bout this: a) all [unstable development kernel e.g 2.6.1] bugs get published "public" - each and every person can snoop around and either help fix it - or instead try to exploit it (even moreso, keep on exploiting it on "unpatched" systems long time after) But, keep [stable kernels] private.