NAS Posted January 20, 2016 Share Posted January 20, 2016 http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ Quote Link to comment
CHBMB Posted January 20, 2016 Share Posted January 20, 2016 http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ I saw this report myself last night. Just came here to search for it... NAS, you're quick.... Quote Link to comment
NAS Posted January 20, 2016 Author Share Posted January 20, 2016 http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ I saw this report myself last night. Just came here to search for it... NAS, you're quick.... Thanks, its my day job. I actively try to only post the bare minimum most important vulnerabilities here as it is easy to get carried away. So far the security patching burden in unRAID has been extremely low and with a couple of notable exceptions turn around these days is reasonably good. Long may it continue, i know I appreciate it. Quote Link to comment
NAS Posted January 24, 2016 Author Share Posted January 24, 2016 It seems that all over the internet, devs are having problems proving or disproving this CVE in real life and there is a worrying trend of PEBKAC and Chinese whispers becoming fact. i.e. nonsense e like "I cant blindly use the POC therefore the CVE isnt valid". How are we handling this, if/when are we patching it? Edit: I meant to say that there is a valid case for arguing that due to unRAIDs flatter security model we may not need to rush this out but I think we do need an open debate or at least some more timely feedback. Quote Link to comment
jonp Posted January 26, 2016 Share Posted January 26, 2016 It seems that all over the internet, devs are having problems proving or disproving this CVE in real life and there is a worrying trend of PEBKAC and Chinese whispers becoming fact. i.e. nonsense e like "I cant blindly use the POC therefore the CVE isnt valid". How are we handling this, if/when are we patching it? Edit: I meant to say that there is a valid case for arguing that due to unRAIDs flatter security model we may not need to rush this out but I think we do need an open debate or at least some more timely feedback. There was a patch submitted upstream for the fix by someone, but until it's merged, we're not touching it. The Linux kernel/dev team has a process for merging patches like these through mainline, then they backport to stable. We will follow suit. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.