To all my fuzzing friends, @jeffball55 wrote up an article on using AFL and KLEE to go after the Linux kernel. https://blog.grimm-co.com/post/analyzing-the-linux-kernel-in-userland-with-afl-and-klee/ … He found an out of bounds read in the ASN.1 decoder which still exists on RHEL 7 despite being patched in the mainline kernel a couple years ago.
-
-
2) is clearly incorrect. There are many backports that are not CVE patches, I'd even go as far as to say "most" are not. There is a phase of the lifecycle that is feature enablement. Did I misread you? Disclaimer: I work for RH prodsec doing CVE stuff.
-
The point is, if Redhat is backporting anywhere less than 100% of the Linux kernel commits, it is probably missing Linux kernel security fixes due to 1). This isn't RH specific. Just that RH is hit harder due to the practice of using older kernels and selectively backporting.
End of conversation
New conversation -
-
-
Not a RHEL-specific problem, but many people don't want to acknowledge how the meat is made, or: "“It is difficult to get a man to understand something, when his salary depends on his not understanding it.”
-
Indeed it's not RHEL-specific. But I suppose RHEL probably has a higher count of unfixed CVE-free bugs due to the nature of the older code bases being used. e.g. RHEL 7.7 uses kernel 3.1.0, which was released almost 10 years ago?
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
