An nameless reader quotes Neowin:
Google Challenge Zero is a safety crew accountable for discovering safety flaws in Google’s personal merchandise in addition to software program developed by different distributors. Following discovery, the problems are privately reported to distributors and they’re given 90 days to repair the reported issues earlier than they’re disclosed publicly…. Now, the safety crew has reported a number of flaws in CentOS’ kernel.
As detailed in the technical doc right here, Google Challenge Zero’s safety researcher Jann Horn realized that kernel fixes made to secure bushes are usually not backported to many enterprise variations of Linux. To validate this speculation, Horn in contrast the CentOS Stream 9 kernel to the secure linux-5.15.y secure tree…. As anticipated, it turned out that a number of kernel fixes haven’t been made deployed in older, however supported variations of CentOS Stream/RHEL. Horn additional famous that for this case, Challenge Zero is giving a 90-day deadline to launch a repair, however sooner or later, it could allot even stricter deadlines for lacking backports….
Pink Hat accepted all three bugs reported by Horn and assigned them CVE numbers. Nonetheless, the corporate failed to repair these points within the allotted 90-day timeline, and as such, these vulnerabilities are being made public by Google Challenge Zero.
Horn is urging higher patch scheduling so “an attacker who needs to shortly discover a good reminiscence corruption bug in CentOS/RHEL cannot simply discover such bugs within the delta between upstream secure and your kernel.”