[parmezan]

It has been less than a month after fixes emerged for kernels and your PoC exploit has already been released into the public. Should you not have waited at least a bit longer (for example 2 months) before disclosing this vulnerability so that people/companies can keep up with patching? Don't they need more time to patch their servers and legacy etc before this becomes yet another log4j exploitation fest? That is if this really is the new dirty cow vuln.

I get responsible disclosure is important, but should we not give people some more opportunity to patch, which will always take some time?

Just curious.

Also, nice work and interesting find!

[staticassertion]

It's the absolute opposite. It's insane that this commit wasn't flagged as a patch for a major vulnerability. Why am I finding out about this now? Why is it now my job to comb through commits looking for hidden patches?

It puts me, as a defender, at an insane disadvantage. Attackers have the time, incentives, and skills to look at commits for vulns. I don't. I don't get paid for every commit I look at, I don't get value out of it.

This backwards process pushed by Greg KH and others upstream needs to die ASAP.

[weberer]

Personally, I just enable automatic security updates and forget about it.

[nickelpro]

Once the commit is in the kernel tree it's effectively public for those looking to exploit it. Combing recent commits for bug fixes for the platform you're targeting is exploitation 101.

The announcement only serves to let the rest of the public know about this and incentivize them to upgrade.

[amluto]

Max did everything right here, and in this case I’m not sure the distribution process exists to have done better.

(Thanks Max for handling this well and politely and for putting up with everyone’s conflicting opinions.)

[staticassertion]

FWIW, if it in any way comes off like I'm blaming Max for this, I'm not. Anyone blaming Max for how vulnerabilities are disclosed is completely ignorant of the kernel reporting process.

[MauranKilom]

Just wanted to note that your replies come off as quite confrontational/aggressive. I think you have valid points, and it's clear that this topic is important to you, but you're heating up the atmosphere of the thread more than necessary.

[staticassertion]

That part I'm ok with. Upstream has treated security researchers with contempt for decades.

[ilnaszeycure]

Why not three months? Why not six? I do not get it. How is this same conversation still happening? This was public the day the patch was sent to the list or pushed to a public git server. Do you think adversaries are sitting around for a POC? Or for you to decide to get around to patching?

I can't help but physically shake my head as I write this. I can't imagine actually asking people to try to play pretend security through obscurity because folks still can be arsed to implement some sort of reasonable update strategy. I have enough experience in tiny and huge shops to say that it's a matter of prioritization and it's just a blatant form of technical debt and poor foresight.

[wtarreau]

You never know if it was already being exploited, but once thing is sure, once the patch gets merged, it's a race and only a matter of time before an exploit is written. Two weeks is already long and may leave distro users exposed, which is why it's important that it doesn't stay too long in the fridge. Ideally we should have a "patch day" every week that distros would align on. That would allow users to adapt to this and get prepared to applying fixes everywhere without having to wonder about what fix addresses what, and more importantly it would remove the surprise effect. The distros process doesn't make this possible at the moment.