Re: [SECURITY] [DSA-403-1] userland can access Linux kernel memory
On Fri, Dec 05, 2003 at 08:32:02PM +0100, Florian Weimer wrote:
> Keep in mind that there is no official security contact for the kernel,
> and no established bug handling procedure.
What about http://bugzilla.kernel.org ?
> Time to fix is now measured
> in months, and official kernel release schedules do not take security
> issues into account (nowadays, not even critical data loss mandates a
> coordinated emergency release).
Yes, I can confirm (ahtough I'm not sure about the -pre and -rc
releases, especially since MT is in charge dealing with 2.4).
> In short: Don't run official, unpatched kernels. Use vendor kernels.
Or take the alternative approach: watch the vendor advisories and
see which bits are worth importing into your tree. My only
expectation on behalf of the vendor is to help me making the
decision by providing clear explanation on the purpose of
the patch and of the inclusion in his tree.
Am I a cleric? | 1024D/37B8D989
Or maybe a sinner? | 954B 998A E5F5 BA2A 3622
Unbeliever? | 82DD 54C2 843D 37B8 D989
Renegade? | http://www.keyserver.net