Hi, given that (according to https://dirtypipe.cm4all.com/) distributors were informed about the CVE-2022-0847 patch on Feb 28th, shouldn't that have been enough time to release kernel patches *before* public disclosure? Isn't that why distributors get informed in advance? https://www.suse.com/de-de/security/cve/CVE-2022-0847.html states all active SLE products (expect the beta in 15 SP4 etc.) as "in progress". Considering the severity of this bug, it is not very impressive to have no kernel updates a week after getting notified about the bug and the patch :-( Maybe you can consider opening sth. like an "early updates" channel for SLE where you publish patched packages when they start their QA process (which I guess it what delays the releases), so that people can decide to work with untested but patched packages for severe bugs until they are officially released after QA? We are e.g. installing FF and TB packages from the mozilla repo when they are published and work with them for a few days until they are released in SLE, too. Being able to do so with all SLE packages for important patches would be a nice option. cu, Frank -- Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/ Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/ LMU, Amalienstr. 17 Phone: +49 89 2180-4049 80333 Muenchen, Germany Fax: +49 89 2180-99-4049 * Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *
HI, On Tue, Mar 08, 2022 at 08:20:29AM +0100, Frank Steiner wrote:
Hi,
given that (according to https://dirtypipe.cm4all.com/) distributors were informed about the CVE-2022-0847 patch on Feb 28th, shouldn't that have been enough time to release kernel patches *before* public disclosure? Isn't that why distributors get informed in advance?
There was a notification on this date, BUT no release date was set... The exact publish date was only set last Friday.
https://www.suse.com/de-de/security/cve/CVE-2022-0847.html states all active SLE products (expect the beta in 15 SP4 etc.) as "in progress".
Considering the severity of this bug, it is not very impressive to have no kernel updates a week after getting notified about the bug and the patch :-(
Maybe you can consider opening sth. like an "early updates" channel for SLE where you publish patched packages when they start their QA process (which I guess it what delays the releases), so that people can decide to work with untested but patched packages for severe bugs until they are officially released after QA?
We are e.g. installing FF and TB packages from the mozilla repo when they are published and work with them for a few days until they are released in SLE, too. Being able to do so with all SLE packages for important patches would be a nice option.
The embargo date setting for this specific issue was kind of chaotic, the exact date was set only on Friday. And we need some time to pass it through our release/QA machinery. Due to an unrelated scheduling issue we can only start releasing fixed kernel updates this evening. FWIW the openSUSE Tumbleweed kernel received the fix "quietly" via stable updates already, so is already fixed. This was the one where the exploit would have worked directly. For kernels below 5.8, a direct exploit vector is currently not yet available (but likely possible). As for making in-QA packages available, we have been reviewing this topic before, it is a bit complicated to set up and also to avoid publishing embargoed issues. At least for the Kernel, there are kernel of the day repositories which have daily GIT snapshots, also for SLE. Ciao, Marcus
participants (2)
-
Frank Steiner -
Marcus Meissner