Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I believe this is the side effect of having upstream manage the CVE process.

The distros dont get any involvement until release, welcome to the suck.



This is the effect of "every vulnerability is a bug" and "we can't rate the severity of any vulnerabilities".

Which very clearly results in "bugfixes" (security patches) not making it everywhere in time because it's just simply ridiculous to ask for each downstream consumer to rate the severity of everything on their own. It's easy to shit on CVEs, some even put out shit CVEs, but at the same time contribute absolutely nothing towards providing a better alternative.

It's quite certain that both the Linux project and the Linux CNA needs to take some responsibility and put in some effort at communication and making it easier to triage.


They can't. Linux has too high a profile. Any additional "in group" that had access to embargoed critical security information would have a much higher chance of being compromised.

The solution is not to tell more people that patch xxxxxx is a critical security bugfix that needs distros to roll new kernel versions immediately.

Major vendors (all the cloud providers) will have security teams that can have the bug mitigated in a few minutes once they're notified.

For everyone else...

Part of the solution is that distros need to stop believing that their distro kernel branches are any better than linux-stable, and use linux-stable and engage with the linux-stable list and patchsets if they're concerned about what's going into them.

Part of the solution is each distro needs a process for pushing critical updates (module blacklists, ebpf patches) to address things like this without forcing all distro users to reboot, which many won't do promptly anyway.


I used to be work in a group that 'managed' this information a while back. I used to work in redhat product security dealing with embargoed flaws and disclosure dates, it was non trivial to get this process managed.

I do think that its the right thing to do, if the reporter is willing to come to the party, but I also understand why if they dont want to.

> Part of the solution is each distro needs a process for > pushing critical updates (module blacklists, ebpf patches) > to address things like this without forcing all distro > users to reboot, which many won't do promptly anyway.

Almost like a 'mitigation tool' that doesn't require expertise on the users end, but on the providers end.

reply




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: