Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Thread Tools Display Modes
  #1   (View Single Post)  
Old 27th March 2023
J65nko J65nko is offline
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,136
Default Google Security Researchers Accuse CentOS of Failing to Backport Kernel Fixes

From https://tech.slashdot.org/story/23/0...t-kernel-fixes:
Google Project Zero's security researcher Jann Horn learned that kernel fixes made to stable trees are not backported to many enterprise versions of Linux. To validate this hypothesis, Horn compared the CentOS Stream 9 kernel to the stable linux-5.15.y stable tree.... As expected, it turned out that several kernel fixes have not been made deployed in older, but supported versions of CentOS Stream/RHEL. Horn further noted that for this case, Project Zero is giving a 90-day deadline to release a fix, but in the future, it may allot even stricter deadlines for missing backports....
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #2   (View Single Post)  
Old 28th March 2023
jmccue jmccue is offline
Real Name: John McCue
Package Pilot
Join Date: Aug 2012
Location: here
Posts: 173

I saw this and it seems odd. Google what RH to patch a kernel they are using. The kernel was fixed in version 5.15. So why can't goggle move to that ?

I thought that was one of the advantages claimed by Linux, the kernel is separate to allow one to choose which one to use.

Makes me wonder if Google and RH (=IBM) is competing in various offerings and RH is taking its time for some strange reason. I doubt that is true, but this whole thing seems weird.
[t]csh(1) - "An elegant shell, for a more... civilized age."
- Paraphrasing Star Wars (tvtropes.org)
Reply With Quote
  #3   (View Single Post)  
Old 28th March 2023
Head_on_a_Stick's Avatar
Head_on_a_Stick Head_on_a_Stick is offline
Real Name: Matthew
Bitchy Nerd Elitist
Join Date: Dec 2015
Location: London
Posts: 468

Originally Posted by jmccue View Post
RH is taking its time
The linked article refers to CentOS rather than RHEL. I'm pretty sure the paid-for version would already have the fixes applied.
Reply With Quote
  #4   (View Single Post)  
Old 29th March 2023
blackhole's Avatar
blackhole blackhole is offline
Spam Deminer
Join Date: Mar 2014
Posts: 325

Project Zero is not about google wanting Red Hat to patch a kernel for them, but just part of the normal "mission" of that project....

Disclaimer: I'm not fan of google and yes they could pick their targets carefully and I would assume that would be the case.

wikipedia has a list of "notable discoveries": https://en.wikipedia.org/wiki/Projec...le_discoveries

While many of those are significant and important, you will note that all too often, it's Apple products, Intel chips, Microsoft Windows, Cloudflare, etc, that feature. If you're a multi billion $ operation who can finance setting up a project to pick holes in your competitors' offerings and then place that under the banner of some kind of altruistic research, for the benefit of all, you would probably do it - especially if your competition include the likes of Microsoft, Intel and Apple. Then if they can't patch within 90 days (let's be honest, they should be able to, but...) the vulnerability gets disclosed... in the interests of poor unfortunate, ordinary end users being able to take steps to mitigate/patch it (if only that "noble philosophy" were applied to their unsupported and abandoned devices).

Last edited by blackhole; 29th March 2023 at 02:00 PM.
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
packages security fixes Martillo OpenBSD Packages and Ports 11 9th July 2015 04:29 PM
US Laws target Security Researchers shep News 1 31st May 2014 03:52 PM
Security Google Chrome fixes seven high-risk vulnerabilities J65nko News 1 6th April 2012 11:58 PM
Google researchers propose fix for ailing SSL system J65nko News 0 30th November 2011 10:58 AM
GENERIC.MP kernel failing to boot AMD dual-core system < 75% of the time JMJ_coder NetBSD General 3 9th June 2008 01:54 PM

All times are GMT. The time now is 12:54 AM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick