Debian, Ubuntu, and Other Distros are Leaving Users Vulnerable

Oct 01, 2018

A security researcher says Linux vendors wait too long to patch the kernel.

Linux is known for a rapid response on fixing problems with the kernel, but the individual distros often take their time with pushing changes to users. Now, one of the researchers for Google Project Zero, Jann Horn, is warning that major distros like Debian and Ubuntu are leaving their users vulnerable.

“Linux distributions often don’t publish distribution kernel updates very frequently. For example, Debian stable ships a kernel based on 4.9, but as of 2018-09-26, this kernel was last updated 2018-08-21. Similarly, Ubuntu 16.04 ships a kernel that was last updated 2018-08-27,” he wrote in a blog post.

According to Horn, the delay means that users of these distributions remain vulnerable to known exploits. Horn describes a case in which, “a security issue was announced on the oss-security mailing list on 2018-09-18, with a CVE allocation on 2018-09-19, making the need to ship new distribution kernels to users more clear. Still: As of 2018-09-26, both Debian and Ubuntu (in releases 16.04 and 18.04) track the bug as unfixed.”

Horn is also critical of Android, which only ships security updates once a month. “...when a security-critical fix is available in an upstream stable kernel, it can still take weeks before the fix is actually available to users – especially if the security impact is not announced publicly,” he wrote.

Greg Kroah-Hartman has also been critical of distributions that don’t push these changes to users. Horn warned, “The fix timeline shows that the kernel's approach to handling severe security bugs is very efficient at quickly landing fixes in the git master tree, but leaves a window of exposure between the time an upstream fix is published and the time the fix actually becomes available to users – and this time window is sufficiently large that a kernel exploit could be written by an attacker in the meantime.”

Related content

  • Etch: Security Update No.7

    Corrections and security updates for the current stable Debian have been released.

  • FSF's Free Distros

    The Free Software Foundation maintains a list of GNU/Linux distributions that meet their strict standards for free software – and your distro probably doesn't qualify. Meet the distros that pass the test.

  • Canonical Fixes Boot Failure Issues in Ubuntu

    The regression that led to boot failures was introduced by a previous patch. 

  • Debian LTS

    The Debian project is extending its famous development process to offer long-term support.

  • Meltdown and Spectre

    The blatant security holes known as Meltdown and Spectre, which are built into the computer hardware, are likely to keep us busy for the next few years. How is the Linux community addressing this unexpected challenge?

comments powered by Disqus

Issue 240/2020

Buy this issue as a PDF

Digital Issue: Price $12.99
(incl. VAT)