January 20, 201610 yr http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
January 20, 201610 yr http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ I saw this report myself last night. Just came here to search for it... NAS, you're quick....
January 20, 201610 yr Author http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ I saw this report myself last night. Just came here to search for it... NAS, you're quick.... Thanks, its my day job. I actively try to only post the bare minimum most important vulnerabilities here as it is easy to get carried away. So far the security patching burden in unRAID has been extremely low and with a couple of notable exceptions turn around these days is reasonably good. Long may it continue, i know I appreciate it.
January 24, 201610 yr Author It seems that all over the internet, devs are having problems proving or disproving this CVE in real life and there is a worrying trend of PEBKAC and Chinese whispers becoming fact. i.e. nonsense e like "I cant blindly use the POC therefore the CVE isnt valid". How are we handling this, if/when are we patching it? Edit: I meant to say that there is a valid case for arguing that due to unRAIDs flatter security model we may not need to rush this out but I think we do need an open debate or at least some more timely feedback.
January 26, 201610 yr It seems that all over the internet, devs are having problems proving or disproving this CVE in real life and there is a worrying trend of PEBKAC and Chinese whispers becoming fact. i.e. nonsense e like "I cant blindly use the POC therefore the CVE isnt valid". How are we handling this, if/when are we patching it? Edit: I meant to say that there is a valid case for arguing that due to unRAIDs flatter security model we may not need to rush this out but I think we do need an open debate or at least some more timely feedback. There was a patch submitted upstream for the fix by someone, but until it's merged, we're not touching it. The Linux kernel/dev team has a process for merging patches like these through mainline, then they backport to stable. We will follow suit.
Archived
This topic is now archived and is closed to further replies.