oss-sec mailing list archives
Re: CoreOS membership to linux-distros
From: Sven Dowideit <sven () rancher com>
Date: Wed, 28 Jun 2017 13:22:42 +0000
TBH, the biggest worry I have is the fact that until there are actual exploits available, we're just hoping that the tests we write are reasonable - its a game of chinese whispers, where we think we grok the information correctly, and completely - but we we're playing with a very partial deck. I did already find a few test tools - and thanks - yours also suggests that with the RancherOS release I made a few days ago, that we've done what we can (ok, so I actually delayed and didn't release the patched version I gleaned was the set - I was able to use 4.9.34 - as we're trying hard to be pure upstream whenever possible) IDK - I wouldn't call it "on a golden platter" - I'm trying to suggest that the bigger players have a tonne more knowledge and experience than we newer and smaller players do - but perhaps we can work out how the smaller distros can also get some early information and guidance - and perhaps that'll help mentor us up into doing more. Sven ________________________________ From: Dominique Martinet <asmadeus () codewreck org> Sent: 27 June 2017 23:58:26 To: oss-security () lists openwall com Subject: Re: [oss-security] CoreOS membership to linux-distros Sven Dowideit wrote on Wed, Jun 28, 2017:
I'm responsible for RancherOS, and think that both I, and my users would prefer that I had access to the embargoed information earlier, so preparing a response would have been less of a rush.
I can relate to the rush feeling, even with few users/"private" distro here, having a custom kernel makes this kind of fixes annoying... But given the delayed exploit release I'd say it does not really matter if you take a few days for this, especially in this case with the low success rate on 64bit linux. As soon as reasonably possible does not necessarily mean rush. As a rhel/centos spin-off though we would have liked the bug brought up here ( https://bugzilla.redhat.com/show_bug.cgi?id=1463241 ) to have its fix published faster though, it's apparently been ready for a week but not been published... I don't mind bugs, but if it's fixed it's annoying to keep it behind closed doors.
One of the things that would have made my last week less worrying, is to have some access to exploit code - so as to verify the changes actually had a useful effect.
You don't need an actual exploit to test this. You're not the first person who have told me this so I actually took some time this morning to whip up a "tester" -- it's probably far from perfect but will run successfully on older debian/rhel and crash with a patched kernel as expected, and is as inoffensive as it can get. I'm sure there are other better testers online, I didn't try looking as I don't get much chance to play with this kind of stuff :) Qualys gave a lot of details in their report (kudos to well written advisories like that!), I agree having everything on a golden plate is better but it really isn't much work left for smaller distros if you trust the big ones or even just upstream, once bugs got steamed out. -- Asmadeus | Dominique Martinet
Current thread:
- CoreOS membership to linux-distros Euan Kemp (Jun 27)
- Re: CoreOS membership to linux-distros Kurt Seifried (Jun 27)
- Re: CoreOS membership to linux-distros Euan Kemp (Jun 27)
- Re: CoreOS membership to linux-distros Sven Dowideit (Jun 27)
- Re: CoreOS membership to linux-distros Dominique Martinet (Jun 28)
- Re: CoreOS membership to linux-distros Sven Dowideit (Jun 28)
- Re: CoreOS membership to linux-distros Euan Kemp (Jun 27)
- Re: CoreOS membership to linux-distros Kurt Seifried (Jun 27)