Project Zero blog: "A cache invalidation bug in Linux memory management" by @tehjh -- https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html …
-
-
Replying to @benhawkes @tehjh
Great find & post. What are your thoughts on ways to address the window of exposure between upstream fix, stable fix, distro uptake, and end-user install?
1 reply 0 retweets 6 likes -
Replying to @epakskape @tehjh
Tricky! I think it would at least help if distributions and upstream could 1) find common agreement on what the actual problem is, and 2) work on a shared plan. The guidance given to security researchers is very inconsistent at the moment.
1 reply 0 retweets 2 likes -
And to be clear, I don't necessarily care if the patch is public immediately if that's what they decide to do, but if no one is going to react to that patch appropriately and with urgency, that's not great. That seems like a problem we can solve.
1 reply 0 retweets 2 likes -
One thing I'm pretty sure of at this point: I don't think this is a problem that security researchers should attempt to fix unilaterally through their own ad-hoc coordination attempts.
1 reply 0 retweets 1 like -
Coalescing around linux-distros@ seems like a reasonable place to start, but upstream/distros would ideally agree on a consistent process around how we should utilize the list, and then we can go from there.
1 reply 0 retweets 1 like -
Replying to @benhawkes @tehjh
Good points, thanks Ben. +1 on not expecting researchers to solve this, was just curious on your thoughts :) Lots of tricky parts here, from fixes not always being tagged security to turnaround time for distro updates. End-users could be looking at new kernel updates dailly...
1 reply 0 retweets 1 like
just as a data point on how another project handles related things: the Xen project published https://lists.xenproject.org/archives/html/xen-devel/2018-05/pdfUjsyxzF0CK.pdf … this year, with information on their handling of security patch batching in section 1.1
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.