cybersecurity

6111 readers

1 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

founded 2 years ago

MODERATORS

shellsharks@infosec.pub

tweedge@infosec.pub

The most severe Linux threat to surface in years catches the world flat-footed (arstechnica.com)

submitted 3 days ago by schnurrito@discuss.tchncs.de to c/cybersecurity@infosec.pub

7 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] zo0@programming.dev 0 points 2 days ago (2 children)

They released the vulnerability without disclosing it to the vendors first? Am I understanding this right?

[–] borari@lemmy.dbzer0.com 0 points 2 days ago* (last edited 2 days ago) (1 children)

No, they disclosed it to the Linux kernel security team, a patch was committed to mainline, then this was disclosed publicly. https://copy.fail/#timeline

They don’t have to coordinate disclosure with every distribution vendor, but droppings public PoC exploit script 28 days after the patch was committed to mainline kind of seems like a dick move to me.

[–] semperverus@lemmy.world 0 points 2 days ago (1 children)

It technically follows the industry standard rules (and companies who have been exploited have 30 days to disclose breaches in the U.S. so there's probably similar "best practice" stuff with these kinds of disclosures)

[–] WhatAmLemmy@lemmy.world 0 points 2 days ago

It's technically still a dick move unless it's seen in the wild and distros are dragging their heels.

Sometimes it's best to use logic instead of best practices.

[–] poinck@lemmy.world 0 points 2 days ago

It got me wondering as well. Normally I find out afterwards that my system is already patched since a couple of days.