REALTIME IT NEWS
REALTIME IT NEWS
Newsletters Select newsletters below and click the button to sign up!
Internetnews BloggersRecent Entries
Archives
Monthly ArchivesSearch The Blog
« SCO wins Unix copyright appeal. Trouble for Linux? |
Sean Michael Kerner Blog
| Red Hat Network Satellite 5.3 hits orbit with open source »
Red Hat plugs NULL Linux hole - a week late? From the "How Long Does It Take Linux Vendors To Patch?' files:
On August 14th, I wrote about a Linux NULL security flaw affecting all Linux vendors. Linux founder Linus Torvalds had a patch for the kernel the same day, but how long did it take the big enterprise vendors? You might be surprised. I know I was. Red Hat, the leading enterprise Linux vendor just issued a patch for the flaw yesterday (so if you're keeping score that 10 days). Novell was a little faster issuing their update on August 20th (so only 6 days for them). The Ubuntu fix came on August 19th. So what took Red Hat so long? I queried Red Hat last week (prior to the patch update). A spokesperson wrote in an email to me that Red Hat was working on kernel updates which include a fix for the issue CVE-2009-2692 (NULL) and they would will release them as soon as they complete Red Hat's quality and release engineering processes. Red Hat had also published a work-around for users prior to the patch release. To be fair, the flaw is (or was) a local exploit so the risk (while real) was not like a Microsoft IE zero day flaw. One thing that happened with this particular flaw is that it escaped from the private vendor-sec list and became public before the vendors could react. "There had been some public discussion about the flaw and it was known that an exploit had been created, so in those circumstances it made sense that the upstream kernel maintainers pushed out their patch as soon as possible to address this issue," Red Hat stated. 0 TrackBacksListed below are links to blogs that reference this entry: Red Hat plugs NULL Linux hole - a week late?. TrackBack URL for this entry: https://swarm.jupitermedia.com/mt-tb.cgi/8785 3 CommentsLeave a comment |
||||||||||||||||||||||||||||||||||||||||||||
Legal Notices, Licensing, Reprints, Permissions, Privacy Policy.
Advertise | Newsletters | Shopping | E-mail Offers | Freelance Jobs 
|
SAP BusinessObjects Webcast: Unlock the Power of Reporting with Crystal Reports Ipswitch Video: A Closer Look--WS_FTP Server |
MORE WEBCASTS, PODCASTS, AND VIDEOS |
|
Iron Speed Designer Application Generator |
MORE DOWNLOADS, EKITS, AND FREE TRIALS |
Digg
Del.icio.us
furl
StumbleUpon
BlinkList
Newsvine
Magnolia
Facebook
Tailrank
Slashdot
Technorati
Google
Bookmarks
Yahoo
Favorites
Windows
Live
Ask
Hi Sean,
Fedora issued updates for this particular issue on August 17th for both Fedora 10 and Fedora 11.
Good grief. A seemingly simple kernel change can affect a lot of GNU software right down the line. That's why there are rigorous QA tests done before such a release, to make sure the patch doesn't break packaged software. This is a normal and desired cycle, and it's incredible that it takes such a short time to certify in the Linux world.
Microsoft takes months to patch their gaping remote exploit holes, if they even acknowledge the existence of them in the first place. Why not whine about that instead?
I suppose the real question about whether RedHat was fast enough is, "Did anyone's RedHat box get exploited?" I suspect that none did, and so, actually, RedHat were quite fast enough.
Won't do their stats any good, though ...