Re: DSA 438 - bad server time, bad kernel version or information delayed?
Florian Weimer <fw@deneb.enyo.de> writes:
> Otavio Salvador wrote:
>
>> Florian Weimer <fw@deneb.enyo.de> writes:
>>
>> > Jan Lühr wrote:
>> >
>> >> Does this mean, that a well known exploit was kept back for nearly three
>> >> weeks, just because some odd vendors were unable to build there kernels in
>> >> time?
>> >
>> > Yes, this is the norm. Debian hides security bugs from its users for
>> > extended periods of time.
>>
>> Yes but this have a reason.
>
> There are several justifications and explanations, yes.
>
>> Before upload a fix this need be available in all supported archs
>
> Fortunately, you are wrong. Kernel security updates are no longer
> synchronized among architectures.
If we provide an i386 image to fix a vulnerability and the same is
found in other arch, then, someone can try to explore this. We need
release all affected at same time to solve this.
--
O T A V I O S A L V A D O R
---------------------------------------------
E-mail: otavio@debian.org UIN: 5906116
GNU/Linux User: 239058 GPG ID: 49A5F855
Home Page: http://www.freedom.ind.br/otavio
---------------------------------------------
Reply to: