On Wed, Jun 08, 2016 at 11:39:34PM +0200, Mason wrote: > On 08/06/2016 20:14, Willy Tarreau wrote: > > > On Wed, Jun 08, 2016 at 08:22:38AM -0700, Greg KH wrote: > > > >> You can tell them that they are running insecure kernels that are > >> trivial to break into, and provide them with the latest kernel release > >> to resolve that. > > > > FWIW I just checked, and since we dropped 2.6.32.y 3 months ago, at least > > 2-3 null pointer dereferences affect it, that can be used either just to > > crash the system, or even to gain privileges under certain conditions. > > Would you believe me if I told you that we provide kernel version > 3.4.39 because "applying security fixes breaks compatibility with > binary kernel modules" ? Oh I totally believe you, don't worry. > What's worse, some customers agree with that "logic". Yes there are plenty of such customers hosting botnets and spam relays who are not aware of it. And when they sell products based on such kernels, it's end users who are exposed. And generally these are the same who want all the features they believe they'll need so you can't even cross fingers for their kernel not to enable the dangerous features. Sometimes you just need to throw the towel and work for another company where you won't see these stupid customers anymore. When developers willing to do this job will become rare, either they'll get paid a lot for a really boring job or customers will start to think how to cut costs by using less dangerous components that are more easily maintained. Willy -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html