Slashdot Mirror

← Back to Stories (view on slashdot.org)

Xen Cloud Fix Shows the Right Way To Patch Open-Source Flaws

Posted by timothy on from the steady-as-she-goes dept.

darthcamaro writes Amazon, Rackspace and IBM have all patched their public clouds over the last several days due to a vulnerability in the Xen hypervisor. According to a new report, the Xen project was first advised of the issue two weeks ago, but instead of the knee jerk type reactions we've seen with Heartbleed and now Shellshock, the Xen project privately fixed the bug and waited until all the major Xen deployments were patched before any details were released. Isn't this the way that all open-source projects should fix security issues? And if it's not, what is?

3 of 81 comments (clear)

  1. Re:Maybe? by kaiser423 · · Score: 3, Interesting

    It seems all pretty reasonable to me. If known exploits are out there, or if the vulnerability is known then the fix gets published right away and there's no two-week embargo. But if it appears that no one else knows about this vulnerability, then the two-week wait seems to be a great policy. Give most people that can keep their mouths shut two weeks to get everything patched up and tested.

    I get that a lot of people just chant the "security through obscurity" mantra, but obscurity really is a layer of security. It just shouldn't be your only defense. Hell, a password is a form of security through obscurity -- your salted password hash is just an obscured version of your password. So, as long as the obscurity is managed well, and in this case it appears to be, then we're good. Their document says that even small projects with no money can get on the pre-disclosure list.

  2. Re:Black hat by meustrus · · Score: 3, Interesting

    Many open source projects have specific protocols for security flaws that include having an insulated security team communicating in private with private code repositories. But even for those that don't, two weeks of security by obscurity is better than two weeks of no security at all.

    --
    I sometimes ask revealing, often ignorant-seeming questions. Maybe they're harder to answer than you think.
  3. Re:"Gave them time" not "Waited" by nman64 · · Score: 4, Interesting

    Actually, the flaw in bash was also embargoed for a couple of weeks. The problem is that the original patch that was given time to circulate didn't fully fix the issue, and nobody realized that until after the embargo was lifted and the problem became public knowledge. "Responsible disclosure" was exercised in both cases, it just didn't work out well with Shellshock.