We've identified a dozen serious privacy and security issues in various upstream projects over the past couple months. It's frustrating, since we lack the resources to fix it all ourselves. Been reporting most of the issues but progress on resolving them is usually very slow.
Conversation
Replying to
We're working on resolving some of these ourselves. It's taking up a lot of our development time. One of the issues is lack of communication and coordination with upstream projects. It can be hard to tell if they understand the issues and are actually working on resolving them...
2
12
Currently working on a release fixing some of these problems. It replaces several of our workarounds for user profile information leak / denial of service issues with proper fixes, including one contributed upstream by Sony. It also applies some driver fixes missing upstream.
1
7
Remaining: IPv4 privacy issue, IPv6 privacy issues (I've posted about related issues before), use-after-free when disconnecting keyboards, serious memory corruption bugs in one of the most popular game engines, multiple profile issues (races, wrong query context) and much more.
5
Replying to
I spent months trying to get some vulnerabilities in RPM resolved. Some of them still are not fixed. And CentOS and RHEL are still not patched.