lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Tue, 12 Apr 2016 14:48:51 +0100
From:	Eddie Chapman <eddie@...k.net>
To:	Willy Tarreau <w@....eu>
Cc:	Greg KH <gregkh@...uxfoundation.org>,
	Sasha Levin <sasha.levin@...cle.com>,
	LKML <linux-kernel@...r.kernel.org>,
	stable <stable@...r.kernel.org>, lwn@....net
Subject: Re: [ANNOUNCE] linux-stable security tree


On 12/04/16 13:52, Willy Tarreau wrote:
> On Tue, Apr 12, 2016 at 01:31:21PM +0100, Eddie Chapman wrote:
>> None-the-less, I applaud and thank Sasha for this new effort, and I
>> personally will find it very useful.  Yes, the lines between bug fix and
>> security fix are very blurred, and so this tree won't have every "security"
>> fix. But I believe and trust it *will* at least contain fixes for bugs that
>> have the most severe security impact.
>
> It will only contain them if they are already in the respective stable trees,
> which means that when I miss a fix (common), it won't appear there either.
> At first I thought "oh cool, a repository of known things that must absolutely
> be fixed, that will help me do my backports" and in the end I fear it will be
> blindly used by end users who don't understand what they're missing but who
> still believe they limit the risk of upgrades. Just this morning I saw a
> report of a user saying that haproxy crashes is 2.6.24 kernel which is
> "otherwise perfectly stable and achieves multi-years uptime"... Imagine
> what such users will do when backporting fixes into they multi-thousands-bugs
> kernel!

Yes, agreed. I'm sure it's not going to be an exhaustive, complete 
repository.  But I think it is better than no repository. And I think 
you are right there is a risk some will use it blindly. However, it 
seems to me if they make this mistake then by definition they were 
probably already screwed with regards the issues we're discussing here, 
so things can't really effectively get any worse. So by blindly applying 
a small tree of what have already been regarded as important fixes their 
situation might then be upgraded from 100% screwed to maybe only 70% 
screwed.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ