Re: [SECURITY] [DSA 2264-1] linux-2.6 security update
On Sat, Jun 18, 2011 at 11:28:25PM -0400, Eric d'Halibut wrote:
> Hi Dann,
> On 6/18/11, dann frazier <email@example.com> wrote:
> > However, given the high frequency at which low-severity security
> > issues are discovered in the kernel and the resource requirements of
> > doing an update, updates for lower priority issues will normally not
> > be released for all kernels at the same time.
> That was quite an impressive gathering of vulns and fixs! From the
> paragraph I just cited above, I conclude that one should *not
> necessarily* take such a long list as evidence of an upsurge in
> attacks against the Linux kernel.
> Am I on the right track with that?
Correct. Being vulnerable and being attacked are two different
things. I believe all of these issues were discovered by researchers
or surfaced as normal bugs, not as part of a post-mortem investigation.
> Or, perhaps, is there such an upsurge, only the rate of Debian
> Security fixes is not a good indicator of that activity?
There is a constant stream of relatively minor security fixes from
Linux upstream. We tend to cue them up together and release either
when a more severe issue appears, or a significant number of issues
have appeared. This was more a case of the latter. You'll notice a lot
of them require elevated privileges (CAP_NET_ADMIN, video group),
physical access, etc, or have relatively minor impact (leaking a few
bytes of kernel memory).
> Or maybe there is some other completely different story, and I am just
> way off! <g>