Language Selection

English French German Italian Portuguese Spanish

Researcher behind Linux Kernel flaw explains motives

Filed under
Linux
Interviews

When a vulnerability researcher discloses a flaw in a widely-used operating system or application, some IT professionals question the motive. Such has been the case with a Linux Kernel flaw that was disclosed last week. Wojciech Purczynski, a researcher with Singapore-based security firm COSEINC, discovered the flaw, and a researcher using the online name "Qaaz" followed it up with attack code. Qaaz declined an interview request, but Purczynski did answer some questions in an email exchange. In this Q&A, he explains how he reported the security hole and why Linux users should take his findings seriously.

Describe the sequence of events.

Purczynski: I was quite busy doing some other tasks here at COSEINC so I had to postpone publication of the vulnerability. But on Feb. 1 I made initial contact with The Red Hat Security Response Team, then we contacted with kernel developers so they could provide a quick fix for this vulnerability.

Explain the severity of the vulnerability and why, since it involves the kernel, IT administrators in Linux-based environments should be concerned.

More Here




More in Tux Machines

Red Hat News

Development News: LLVM, New Releases, and GCC

PulseAudio 10 and Virtual GPU in Linux

  • PulseAudio 10 Coming Soon, Using Memfd Shared Memory By Default
    It's been a half year since the debut of PulseAudio 9.0 while the release of PulseAudio 10 is coming soon. PulseAudio 9.99.1 development release was tagged earlier this month, then usually after x.99.2 marks the official release, so it won't be much longer now before seeing PulseAudio 10.0 begin to appear in Linux distributions.
  • Experimenting With Virtual GPU Support On Linux 4.10 + Libvirt
    With the Linux 4.10 kernel having initial but limited Intel Graphics Virtualization Tech support, you can begin playing with the experimental virtual GPU support using the upstream kernel and libvirt.

Licensing FUD and Licensing Advice

  • On the Law and Your Open Source License [Ed: Black Duck is just a parasite selling proprietary software by bashing FOSS]
    "Looking back five or ten years, companies managing open source risk were squarely focused on license risk associated with complying with open source licenses," notes a report from Black Duck Software. Fast-forward to today, and the rules and processes surrounding open source licensing are more complex than ever.
  • Explaining the source code requirement in AGPLv3
    This condition was intended to apply mainly to what would now be considered SaaS deployments, although the reach of "interacting remotely through a computer network" should perhaps be read to cover situations going beyond conventional SaaS. The objective was to close a perceived loophole in the ordinary GPL in environments where users make use of functionality provided as a web service, but no distribution of the code providing the functionality occurs. Hence, Section 13 provides an additional source code disclosure requirement beyond the object code distribution triggered requirement contained in GPLv2 Section 3 and GPLv3 and AGPLv3 Section 6.