Linux vulnerabilities being covered up (again)

http://seclists.org/oss-sec/2013/q1/570

One of a billion times. I'll post more later, if anyone's interested. Thankfully, it's Linux, so there are people who *can* call them out about it.

 

I don't agree with obscuring information.

 

Well that's good, unfortunately that's something upstream does quite often.

 

Is there some benefit?

 

Nope.

 

The more eyes the better. And this is what gets my goat, Linux Elitists who snub their nose at stuff like this. The point of Linux is that it's open, if you shut yourself of from acknowledging bugs and exploits then it's bad for everyone.

 

How do you think this was "covered up" ?

Cheers, Nick

 

How does "upstream" (I assume you mean the kernel devs) obscure anything ?

Kernel already notifies Linux-Distro private mailling list and leaves the responsibility to disclose to them.

Cheers, Nick

 

Yes, I mean the kernel devs.

How do they obscure anything? Oftentimes it's referring to a buffer overflow as a "memory corruption leading to adjacent memory blah blah blah" ie: taking a common term, and rewriting it so that it doesn't sound like a vulnerability.

http://seclists.org/oss-sec/2013/q1/569

There you go.

http://seclists.org/oss-sec/2013/q1/349

https://lwn.net/Articles/538600/

I can find a lot more than these. Some really funny examples like the one I referred to where they called vulnerabilities DOS's for a long time even though hackers had already directly given POCs showing exploitability.

This has led to vulnerabilities in the kernel being reported but not fixed in distros for weeks. I can get more reading for you, which will show how this happens, and how you can spot patterns.

 

Thanks,

BTW I'm not taking sides as Im not in any way a kernel guy, just trying to understand the situation more, very hard to work out the facts from opinion.

Cheers, Nick