Date: Fri, 6 Jun 2014 11:58:46 -0400 From: Rich Felker <dalias@...c.org> To: oss-security@...ts.openwall.com Subject: Re: Linux kernel futex local privilege escalation (CVE-2014-3153) On Fri, Jun 06, 2014 at 05:43:28PM +0200, rf@...eap.de wrote: > Greg> There is someone still maintaining 3.12-stable, why not rely > Greg> on those releases if you want that kernel version, instead of > Greg> rolling your own? > > We thankfully do rely on that as our base. In this case though, the > patches haven't been ported until this moment. And I can't wait for them > to appear since there is no time-line when that will happen ... Indeed. This is probably the biggest security flaw in Linux in the past 5 years (if not the biggest ever) since it allows a full kernel compromise even from extremely tight sandboxes. In my opinion, the way the announcement was handled was really unprofessional. There should have been fixes prepared for, and/or committed into the git repos for, all currently maintained releases/branches at the time of the announcement. Anything else leaves everybody but users of the big mainstream distros scrambling to figure out how to get a non-vulnerable kernel that's compatible with their current setups. Rich
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ