Slashdot Mirror

← Back to Stories (view on slashdot.org)

Xen Cloud Fix Shows the Right Way To Patch Open-Source Flaws

Posted by timothy on from the steady-as-she-goes dept.

darthcamaro writes Amazon, Rackspace and IBM have all patched their public clouds over the last several days due to a vulnerability in the Xen hypervisor. According to a new report, the Xen project was first advised of the issue two weeks ago, but instead of the knee jerk type reactions we've seen with Heartbleed and now Shellshock, the Xen project privately fixed the bug and waited until all the major Xen deployments were patched before any details were released. Isn't this the way that all open-source projects should fix security issues? And if it's not, what is?

8 of 81 comments (clear)

  1. "Gave them time" not "Waited" by martyros · · Score: 4, Funny

    The XenProject security process gives them time to patch their systems (in this case, 2 weeks). If you don't have your stuff patched by then, they won't wait for you.

    --

    TCP: Why the Internet is full of SYN.

    1. Re:"Gave them time" not "Waited" by nman64 · · Score: 4, Interesting

      Actually, the flaw in bash was also embargoed for a couple of weeks. The problem is that the original patch that was given time to circulate didn't fully fix the issue, and nobody realized that until after the embargo was lifted and the problem became public knowledge. "Responsible disclosure" was exercised in both cases, it just didn't work out well with Shellshock.

  2. But the media would lose... by charles05663 · · Score: 4, Insightful

    Their hysteria drive news cycle.

  3. Apples and Oranges by BenFranske · · Score: 4, Insightful

    Sure, it's an ideal situation where a bug was identified, fixed quickly and a patch pushed out and applied by large users quickly but Xen is a program which is much more centrally controlled than BASH or OpenSSL. BASH and OpenSSL are more key infrastructure bits than Xen is. What I mean is that they are integrated into FAR more devices and systems making a silent patch nearly impossible.

    1. Re:Apples and Oranges by QuietLagoon · · Score: 4, Insightful

      ... BASH and OpenSSL are more key infrastructure bits than Xen is. What I mean is that they are integrated into FAR more devices and systems making a silent patch nearly impossible.

      Quite correct.

      .
      Just try to estimate the number of devices affected by Heartbleed and Shellshock. It's probably in the billions.

      As a case in point, a single Zen installation can host hundreds, maybe even thousands, of vulnerable installations of Shellshock and Heartbleed.

      It is truly an apples and oranges comparison.

  4. Re:Maybe? by i+kan+reed · · Score: 4, Informative

    your salted password hash is just an obscured version of your password.

    Negatory. Salted hashes are not reversable without a huge damned rainbow table particular to the salt, and most passwords are hashed, not encrypted.

    There isn't actually a password to recover from that.

  5. Re:Ignorance is not bliss by Chrisq · · Score: 4, Funny

    Ignorance is not bliss

    I didn't want to know that!

  6. That's how the bash issue was handled by nedlohs · · Score: 4, Informative

    That some idiot decided to publish the prenotification is just more likely when you have something in as widespread use as bash.