Re: [SECURITY] [DSA-403-1] userland can access Linux kernel memory
On Tue, Dec 02, 2003 at 11:23:53PM +0100, Marcel Weber wrote:
I think, this incident is a nice lessons learned for everyone. A found
coding bug can always have security implications as there will always be
someone ingenious enough to create an exploit of it. We all know some
bigger software company telling its costumers, that some coding bugs are
not that critical until the next worm / email virus appears...
The issue isn't whether the bug is fixed (it already was) the issue is
whther its publicized as a security fix with a big notice that everybody
must upgrade now. Have you looked at the diffs between kernel revisions?
That's a whole lotta fixed bugs. There's a human factor in the process
of deciding which bugs get the full treatment and there always will be.
Or do you have some better solution? Treating every bug fix as critical
and making upgrade is *not* a solution because 1) people would get tired
of it and not bother, not knowing whether it's a real important fix or
not 2) the changes might introduce stability problems, which can
themselves render the system unusable and 3) some bug fixes might
introduce new security problems, leading to no net gain.