Project Zero blog: "A cache invalidation bug in Linux memory management" by @tehjh -- https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html …
-
-
And to be clear, I don't necessarily care if the patch is public immediately if that's what they decide to do, but if no one is going to react to that patch appropriately and with urgency, that's not great. That seems like a problem we can solve.
-
One thing I'm pretty sure of at this point: I don't think this is a problem that security researchers should attempt to fix unilaterally through their own ad-hoc coordination attempts.
-
Coalescing around linux-distros@ seems like a reasonable place to start, but upstream/distros would ideally agree on a consistent process around how we should utilize the list, and then we can go from there.
-
Good points, thanks Ben. +1 on not expecting researchers to solve this, was just curious on your thoughts :) Lots of tricky parts here, from fixes not always being tagged security to turnaround time for distro updates. End-users could be looking at new kernel updates dailly...
-
just as a data point on how another project handles related things: the Xen project published https://lists.xenproject.org/archives/html/xen-devel/2018-05/pdfUjsyxzF0CK.pdf … this year, with information on their handling of security patch batching in section 1.1
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.