Just tested it on Debian stable. No crash, ping works. Newer doesn't always mean better. Poor Ubuntu users...
Announcement
Collapse
No announcement yet.
Ubuntu 19.10's Kernel Ships With A DoS / Arbitrary Code Execution Bug In The IPv6 Code
Collapse
X
-
Originally posted by kylew77 View PostI see why it is recommended to stick with an LTS release nowadays. The 6 month release just don't seem to get the testing needed it would appear.
Obviously this can be a big risk for multi-user environments where you can't trust your users, so this needs to be fixed soon. But most multi-user environments probably take some time to upgrade to a new release anyway, even if they use the STS releases and don't invest time to keep up to date with current vulnerabilities (and possibly patch them on their own), and won't upgrade to 19.10 literally on the first day.
Edit: Also, I don't think this is related to lack of testing at all. Ubuntu kernel team is very likely very aware of the fact that there is a vulnerability in the shipped kernel, but timelines (kernel freeze etc.) didn't leave room to get it fixed before release. In fact, I've just checked the launchpad bug report and they acknowledged the bug 9 days ago and also fixed it in the version control system 9 days ago, but that was too late to include it in the release. So this is not due to a lack of testing, it was simply not deemed high priority enough to warrant breaking the freeze that was put in place.Last edited by Isedonde; 18 October 2019, 09:02 AM.
- Likes 1
Comment
-
Originally posted by Isedonde View Post
Honestly, for an average desktop Ubuntu user who upgrades to a new STS release within just a few days after release, I don't think this bug is really that terrible. It's only dangerous when you have an "unprivileged local attacker", so if you can't trust your roommate or family member who also happens to have their own account on your computer, then maybe that's a problem. For every other home user, it doesn't really matter.
Obviously this can be a big risk for multi-user environments where you can't trust your users, so this needs to be fixed soon. But most multi-user environments probably take some time to upgrade to a new release anyway, even if they use the STS releases and don't invest time to keep up to date with current vulnerabilities (and possibly patch them on their own), and won't upgrade to 19.10 literally on the first day.
Edit: Also, I don't think this is related to lack of testing at all. Ubuntu kernel team is very likely very aware of the fact that there is a vulnerability in the shipped kernel, but timelines (kernel freeze etc.) didn't leave room to get it fixed before release. In fact, I've just checked the launchpad bug report and they acknowledged the bug 9 days ago and also fixed it in the version control system 9 days ago, but that was too late to include it in the release. So this is not due to a lack of testing, it was simply not deemed high priority enough to warrant breaking the freeze that was put in place.
Comment
Comment