[NMLUG] Oops! Linux Bug Escapes Early

Warner Losh nmlug@swcp.com
Fri, 30 Nov 2001 14:11:01 -0700


In message <3C07F332.5070709@spinn.net> Matt Grommes writes:
: How can Redhat withhold details of a patch and still release the patch? 
: I guess I just don't understand your position fully.

By putting the new rpm up on their server with a recommendation to
upgrade and that details will be forthcoming as of date X.

Or just put a new version up and say that upgrading is recommended.
Eg an cryptic "Upgrade to wuftpd 3.1.2p1" is what is typically done,
or "Fix bug relating to multiple frees of a pointer." which doesn't
draw attention to it, in and of itself.

The PR engine that goes along with the volunerabilty disclosure will
include a link to this rpm and people that are running wuftpd will
grab it and install it on their servers.

Since the file will only be there a couple of days before all is
clear, that gives other groups time to schedule their process to do
the same.

With FreeBSD it is a little different.  FreeBSD has a cvs tree that's
open to everyone (Redhat doesn't have a CVS tree this open, iirc).
When there's a bug, we commit a fix to it.  This fix may or may not
require an advisory.  Since it takes us a few days to get the advisory
written, the patch back ported to older FreeBSD revisions, etc, we
usually let our compatriots know about it (eg, hey mr NetBSD security
officer, we had this bug, here's our patch and we think you are
impacted too).  That gives them time to start their process.  Often
times in these few days the patch evolves as we hear from other
groups, or more eyes review the fixes we've committed.  In the end, we
usually have excellent patches that can be applied to multiple
versions and don't include anything not necessary for the
vulnerability.

For the FreeBSD ports system, this also lets us get the fix into the
build process right away, so when the advisory comes out on Dec 4, we
can say that anyone that installed the binary after Dec 1 is safe.  We
provide all the information that a sysadmin needs to know if he's
vulnerable or not.

In general, I as the security officer know about vulnerabilities about
3-7 days before the rest of the world.  My job is to make sure that
FreeBSD get patched in that time and that our PR engine is ready to go
when it hits the streets.  Or if we discovered it, to make it hit the
streets.

Warner
------------------------------------------------------
To UNSUBSCRIBE send a message to nmlug-request@swcp.com
with only the word unsubscribe in the body.  More
information can be found at www.nmlug.org/info.html
-----------------------------------------------------