Re: [SECURITY] [DSA-403-1] userland can access Linux kernel memory
Quoting Micah Anderson (micah@riseup.net):
> I want to chime in here also, I too was unhappy that I did not know
> about a local root exploit in 2.4.22 until the Debian machines were
> compromised in this manner. I think a lot of people were in the same
> boat (not to mention the debian folks). I watch kerneltrap, kernel
> traffic, and slashdot fairly regularly for these purposes, and I did
> not see anything of this sort come through, otherwise I would have
> patched immediately (which is what I did last night when I received
> the information).
[...]
> I would like to know how I can be more abreast of future security
> issues like this if Bugtraq (et. al), kerneltrap, kerneltraffic,
> slashdot, etc. are not notified to flag this, and kernel.org does not
> flag this on the website, are we to wait for some high profile exploit
> to happen again before we are alerted to this problem?
Well, the kernel.org changelogs _are_ public. Feel free to read them on
an ongoing basis, and comment on the security implications of bugfixes
as they're entered into the BitKeeper repository. There are any number
of mailing lists, Web sites, and magazines that would be delighted to
publish your analyses and advisories.
Or I guess you could pay someone to do likewise.
Did you have in mind some third alternative? I'm not aware of one,
given the community nature of the kernel project.
--
Cheers, A: No.
Rick Moen Q: Should I include quotations after my reply?
rick@linuxmafia.com
Reply to: