Ubuntu, illustrating how to utterly fail at kernel security updates
Just like last time, this is a rant.
Here's a simple procedure that you too can follow:
- develop fixes for some CVE issues in the various kernel versions that you maintain.
- announce and release new kernel security updates for most of your currently supported distributions, but not for 10.04 LTS. Trained sysadmins running 10.04 will ignore them, and even if they don't there's no 10.04 updates for them to apply.
- announce and release new kernel security updates for specialized
versions of 10.04, like the one that runs on Amazon's EC2.
Trained sysadmins will ignore
them and even if they don't, there's still no general 10.04 update.
- realize that oops, you forgot to do a general 10.04 kernel update.
- quietly put a kernel update into your security repository. Do not announce it on your security mailing list, because that might be embarrassing. Besides, who reads those things anyways? People using Ubuntu should just install every available update, and right away; as we've already established, putting useful details in kernel security announcements is optional anyways.
(Yes, I checked the ubuntu-security-announce archives just to make sure that our mail system hadn't swallowed an announcement.)
Of course, as a standard thing it appears that the Ubuntu changelog for the kernel package doesn't necessarily include a list of the CVEs that are fixed in any particular revision of the package. It would make sense that the specialized versions have the same bugs fixed as the main one, but given past issues it's hard to tell unless I spend far more time on this than I have any interest in doing.
Right now, I am very, very angry with Ubuntu's slipshod practices. We run Ubuntu on servers, in an environment where we can't just reboot machines because Ubuntu feels that we should; we really do need to be able to assess the importance of security updates, especially when many of the bugs don't even apply to our specific environment (they require protocols we don't use, hardware we don't have, or the ability to plug devices with maliciously corrupted filesystems into servers in a machine room).
PS: my story may not be exactly what happened (see eg), but from the outside it sure looks like a plausible story.
PPS: there was also a stealth 8.04 kernel security update, but it's less clear what's going on with that one. On one hand, the package changelog between 2.6.24-29.90 and 2.6.24-29.91 lists a whole bunch of CVEs. On the other hand, many of them are old. Did Ubuntu miss a significant set of security updates for the 8.04 kernel, and only notice things now? Ubuntu 10.04 had fixes for at least some of these CVES back in March.
(See also the tracking bug for the 8.04 update.)
Update: Ubuntu has now released two notices for this kernel update, for the 10.04 version and for the 8.04 version. It remains the case that Ubuntu published security updates in the repository well before an announcement was made (apparently surprising some people), and that they let a general kernel package update lag well behind at least specialized version updates.