Slashdot Mirror

← Back to Stories (view on slashdot.org)

Xen Cloud Fix Shows the Right Way To Patch Open-Source Flaws

Posted by timothy on from the steady-as-she-goes dept.

darthcamaro writes Amazon, Rackspace and IBM have all patched their public clouds over the last several days due to a vulnerability in the Xen hypervisor. According to a new report, the Xen project was first advised of the issue two weeks ago, but instead of the knee jerk type reactions we've seen with Heartbleed and now Shellshock, the Xen project privately fixed the bug and waited until all the major Xen deployments were patched before any details were released. Isn't this the way that all open-source projects should fix security issues? And if it's not, what is?

3 of 81 comments (clear)

  1. But the media would lose... by charles05663 · · Score: 4, Insightful

    Their hysteria drive news cycle.

  2. Apples and Oranges by BenFranske · · Score: 4, Insightful

    Sure, it's an ideal situation where a bug was identified, fixed quickly and a patch pushed out and applied by large users quickly but Xen is a program which is much more centrally controlled than BASH or OpenSSL. BASH and OpenSSL are more key infrastructure bits than Xen is. What I mean is that they are integrated into FAR more devices and systems making a silent patch nearly impossible.

    1. Re:Apples and Oranges by QuietLagoon · · Score: 4, Insightful

      ... BASH and OpenSSL are more key infrastructure bits than Xen is. What I mean is that they are integrated into FAR more devices and systems making a silent patch nearly impossible.

      Quite correct.

      .
      Just try to estimate the number of devices affected by Heartbleed and Shellshock. It's probably in the billions.

      As a case in point, a single Zen installation can host hundreds, maybe even thousands, of vulnerable installations of Shellshock and Heartbleed.

      It is truly an apples and oranges comparison.