I can accept (and welcome) disclosure before there are patches. But publishing a working exploit t...

holowoodman • yesterday at 6:10 PM • 5 replies • view on HN

I can accept (and welcome) disclosure before there are patches.

But publishing a working exploit together with the disclosure before patches are available is really really irresponsible, maybe even criminal.

And no, the proposed mitigations don't help with half of the distributions out there...

Replies

staticassertion • yesterday at 9:41 PM

The patch was available. Upstream just doesn't communicate vulnerabilities because they have a personal dispute with distros about how to handle patching.

➕ show 1 reply

SoftTalker • yesterday at 6:38 PM

AIUI the exploit was fairly low-effort once you knew the vulnerability. So publishing one probably didn't change the landscape much.

akerl_ • yesterday at 6:44 PM

> maybe even criminal

What’s your theory here? What crime?

➕ show 2 replies

wang_li • yesterday at 6:25 PM

There is an alternative mitigation you can use which blacklists the function calls when the affected code is not built as a kernel module.

semiquaver • yesterday at 6:14 PM

Patches were available for nearly a month.

➕ show 3 replies

alt Hacker News

Replies