Re: [SECURITY] [DSA-403-1] userland can access Linux kernel memory
Michael Stone wrote:
The issue isn't whether the bug is fixed (it already was) the issue is
whther its publicized as a security fix with a big notice that everybody
must upgrade now. Have you looked at the diffs between kernel revisions?
That's a whole lotta fixed bugs. There's a human factor in the process
of deciding which bugs get the full treatment and there always will be.
Or do you have some better solution? Treating every bug fix as critical
and making upgrade is *not* a solution because 1) people would get tired
of it and not bother, not knowing whether it's a real important fix or
not 2) the changes might introduce stability problems, which can
themselves render the system unusable and 3) some bug fixes might
introduce new security problems, leading to no net gain.
Actually this is exactly what I meant: There are known risks and unknown
risks. What we can avoid are in the first place the known risks. So the
question is just if we want to take these KNOWN risks or not. A
discovered bug with a known exploit is a much higher risk as one without
any known exploit, of course. So I have to agree, that the first kind of
risks are those that have to be avoided first. As you said, we have to
make a triage unless we have the resources to do it perfect (which in
reality never can be achieved).
In the actual case of the hacked servers it was not just a bug, but a
security problem (CAN-2003-0961) without an existing exploit.
I would never demand (and I cannot demand anything, as I could try to
fix things by myself) that every bug should be fixed and that each time
everyone has to update his / her kernel...
And I did not want to offend anybody with this or my previous post.
These were rather philosophical thoughts that came to my mind...