Softpanorama May the source be with you, but remember the KISS principle ;-)	Home	Switchboard	Unix Administration	Red Hat	TCP/IP Networks	Neoliberalism	Toxic Managers
	(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix

Hidden Linux Security Patches

"Linus has this bad habit of fixing security holes quietly," said Cox. "This is a bad idea as some people read all the kernel patches to find the security holes."

Alan Cox

The problem with quietly fixed by Linus patches.

The ups and downs of life with Linus, Mar 02 2005

He may be the saint of the Linux community, but it sounds like Linus Torvalds - with his secret security fixes - could still be a challenge to work with

http://news.zdnet.co.uk/software/linuxunix/0,39020390,39189593,00.htm

was:

"Cox said that Torvalds does not always let people know when he has
fixed a security bug in the kernel. This can be a problem as the patch
will take a while to make it to production, which means that hackers can
exploit the vulnerability before it is made available to individuals and
enterprises running Linux.

"Linus has this bad habit of fixing security holes quietly," said Cox.
"This is a bad idea as some people read all the kernel patches to find
the security holes.""

Linux 2.0.36: Quietly fixed stuff

Alan Cox sent a summary of security holes that have been fixed quietly in Linux 2.0.36 to the Bugtraq List. The original announcement can be found at the URL below.

Read more

Re: Linux 2.0.36 in slink?

To: Joel Klecker <[email protected]>
Subject: Re: Linux 2.0.36 in slink?
From: John Goerzen <[email protected]>
Date: Mon, 14 Dec 1998 10:34:18 -0600
Cc: [email protected], [email protected], [email protected]
In-reply-to: <v04103621b29a62ce3cbf@[206.163.71.146]>; from Joel Klecker on Sun, Dec 13, 1998 at 10:55:33PM -0800
Message-id: <[email protected]>
References: <v04103621b29a62ce3cbf@[206.163.71.146]>

I agree.  In fact, Alan Cox says that "every vendor should have their kernel
updates long out".  For some reason, we seem to be reluctant to do so, but I
can'd understand why.  There are possible DoS attacks, holes in mmap, etc. 
It is very important to get it in there.

John

On Sun, Dec 13, 1998 at 10:55:33PM -0800, Joel Klecker wrote:

> Considering that this is a bug fix release including various security 
> fixes, I think 2.0.36 belongs in slink.
> 
> Release Notes: <http://roadrunner.swansea.linux.org.uk/relnotes.36.html>
> 
> Bugtraq posting regarding "silent security fixes" in 2.0.36: 
> <http://news.freshmeat.net/readmore?f=2.0.36-silent-fixes>
> --
> Joel Klecker (aka Espy)                     <URL:http://web.espy.org/>
> <URL:mailto:[email protected]>                  <URL:mailto:[email protected]>
> Debian GNU/Linux PowerPC -- <URL:http://www.debian.org/ports/powerpc/>
> 
> 
> -- 
> To UNSUBSCRIBE, email to [email protected]
> with a subject of "unsubscribe". Trouble? Contact [email protected]

-- 
John Goerzen   Linux, Unix consulting & programming   [email protected] |
Developer, Debian GNU/Linux (Free powerful OS upgrade)       www.debian.org |
----------------------------------------------------------------------------+
Visit the Air Capital Linux Users Group on the web at http://www.aclug.org

Reply to:

References:
- Linux 2.0.36 in slink?
  - From: Joel Klecker <[email protected]>

Prev by Date: Re: Filesystem and archive changes
Next by Date: Re: Including package's home page with package description
Previous by thread: Re: Linux 2.0.36 in slink?
Next by thread: Re: Linux 2.0.36 in slink?
Index(es):
- Date
- Thread