Ubuntu, illustrating how to utterly fail at kernel security updates
July 15, 2011
Just like last time, this is a rant.
Here's a simple procedure that you too can follow:
(Yes, I checked the ubuntu-security-announce archives just to make sure that our mail system hadn't swallowed an announcement.)
Of course, as a standard thing it appears that the Ubuntu changelog for the kernel package doesn't necessarily include a list of the CVEs that are fixed in any particular revision of the package. It would make sense that the specialized versions have the same bugs fixed as the main one, but given past issues it's hard to tell unless I spend far more time on this than I have any interest in doing.
Right now, I am very, very angry with Ubuntu's slipshod practices. We run Ubuntu on servers, in an environment where we can't just reboot machines because Ubuntu feels that we should; we really do need to be able to assess the importance of security updates, especially when many of the bugs don't even apply to our specific environment (they require protocols we don't use, hardware we don't have, or the ability to plug devices with maliciously corrupted filesystems into servers in a machine room).
PS: my story may not be exactly what happened (see eg), but from the outside it sure looks like a plausible story.
PPS: there was also a stealth 8.04 kernel security update, but it's less clear what's going on with that one. On one hand, the package changelog between 2.6.24-29.90 and 2.6.24-29.91 lists a whole bunch of CVEs. On the other hand, many of them are old. Did Ubuntu miss a significant set of security updates for the 8.04 kernel, and only notice things now? Ubuntu 10.04 had fixes for at least some of these CVES back in March.
(See also the tracking bug for the 8.04 update.)
Update: Ubuntu has now released two notices for this kernel update, for the 10.04 version and for the 8.04 version. It remains the case that Ubuntu published security updates in the repository well before an announcement was made (apparently surprising some people), and that they let a general kernel package update lag well behind at least specialized version updates.
Written on 15 July 2011.
* * *