Language Selection

English French German Italian Portuguese Spanish

Opera on Handling Security

Filed under

Recently, some of our users have asked why we chose to disclose a potential security issue only after the release of Opera 9.10. Let me try to give a short overview on how security issues get reported and disclosed - and not only at Opera, but in most applications: it might help some people to understand how this works.

When somebody discovers a vulnerability in an application, they should report it to the vendor. It can happen that the reporters give a deadline by when they want to make full disclosure of the vulnerability, but usually the reporter and the vendor work out a disclosure date that makes both happy. If the exploit is not clear, both work on details and a PoC (proof of concept). When a fix has been made and a public release is available, both the reporter and the vendor publish an advisory. The vendor usually credits the reporter in the advisory for the discovery of the vulnerability.

It is important that both parties do respect each other: if a fix is included also in development snapshot builds that reach a public audience (like the weekly builds on this blog), fixes for the vulnerability are not announced: this is a form of respect both for the reporter and for all the users that only upgrade to stable releases. Making the vulnerability public knowledge before a stable version fixes the issue would leave lots of users vulnerable. Serious reporters do not announce vulnerabilities before vendors have a fix in public builds - and vendors do not announce vulnerabilities before the reporters makes their discovery public, in order to properly credit them.

Full Story.

More in Tux Machines

Linux 4.9-rc2

  • Linux 4.9-rc2
    I'm back on my usual Sunday afternoon release schedule, and 4.9-rc2 is out. My favorite new feature that I called out in the rc1 announcement (the virtually mapped stacks) is possibly implicated in some crashes that Dave Jones has been trying to figure out, so if you want to be helpful and try to see if you can give more data, please make sure to enable CONFIG_VMAP_STACK. .. and on the other hand, if you want to just not have to worry about _that_ particular issue, disable the virtually mapped stacks it for now, but please do help test. Because 4.9 is obviously shaping up to be a big release (I haven't done the actual stats yet, but I think it's the biggest in number of commits we've ever had), and I think Greg is also planning on making it an LTS release. The two may be related, with people pushing to get their stuff ready. Regardless, the more people who help test, and the earlier in the rc series those people start testing, the better off we'll be. Hint hint. Ok, enough about that. rc2 itself isn't huge, but that's a fairly common pattern: either people just take a breather after the merge window, or it simply takes a while for the fallout of new code to be found, so rc2 is usually a fairly small rc. But we have stuff pretty much all over the map: drivers dominate (gpu drivers stand out, but there's ipmi, clocksource, mmc, pinctrl, HID, scsi, nvme .. you name it). Add some architecture updates (x86 and arm64) and a few filesystems (ext4, nfs, ceph, f2fs), and some VM cleanups and one big fix, and you've covered most of it. The appended shortlog gives the details, and for even more detail you can always go to the git tree itself. Linus
  • Linus Torvalds Announces the Second Release Candidate of Linux Kernel 4.9 LTS
    It's still Sunday in the US, which means that it's time for you to take yet another RC (Release Candidate) milestone of the upcoming Linux 4.9 kernel release for a test drive. That's right, Linus Torvalds just announced the second Release Candidate for Linux kernel 4.9, which lands eight days after the first one and appears to be fairly normal development snapshot that includes lots of updated drivers, mostly for GPU, but also HID, SCSI, MMC, PINCTRL, IMPI, and clocksource, various x86 and ARM64 architecture updates, improvemnts to the EXT4, F2FS, Ceph, and NFS filesystems, and some VM cleanups.
  • Linux 4.9-rc2 Kernel Released
    Linux 4.9-rc2 is now available as the latest test release of this forthcoming kernel update. Over the past week there's been a fair number of merges of bug/regression fixes for this stage of Linux 4.9 development, one week since the closure of the merge window. We've already written a lot about Linux 4.9, including our detailed Linux 4.9 feature overview for those interested in the fun changes of this next kernel release.

GParted Live 0.27.0-1 Disk Partitioning Live CD Out Now, Based on GParted 0.27.0

Just one day after announcing the release of the GParted 0.27.0 open-source partition editor software, Curtis Gedak is informing us about the availability of the GParted Live 0.27.0-1 stable release. Read more