How Fedora is Responding to Recent Kernel Vulnerabilities
Article Description:
The last few weeks have had three major Kernel exploits (CopyFail, DirtyFrag, Fragnesia), and it’s likely there are more on the way. The article would give some context on those for anyone who hasn’t been following them and explain how AI-assisted security research is increasing the volume of exploits found and reducing the time before exploits are published (https://zerodayclock.com/).
With that context, it would explain how Fedora gets notified about these vulnerabilities (mailing lists, release-monitoring.org, and Red Hat ProdSec) and how we push out those fixes (security tagged Bodhi updates, even before the kernel has merged the fixes).
It would then wrap up with advice for keeping their devices secure through regular updates and watching out for notifications from Gnome Software for critical updates (I don’t quite know how these get triggered). We could also promote getting involved in the Security and Kernel SIGs.
Thanks for the feedback, I agree with all your suggested changes and have applied them. I’ve clarified that that when I say “Fedora Team” I actually mean Fedora Package Maintainers.
If there’s additional suggested changes I’m happy to apply them, otherwise I’m good for this to be published at any time.
I think I cannot access the draft, two things that came up in the recent days from users that might be covered in an article, if that makes sense to both of you:
users with some basics wonder that we do not update because they thought, e.g., we didn’t introduce 7.0.6 with a serious security patch, but in fact, Justin already backported that patch to 7.0.4, so that our 7.0.4 contained 7.0.6 even before 7.0.6 was released.
Therefore, it might be useful to add that serious/critical patches, that often intentionally are not immediately merged upstream, are in the responsibility of the OS to make a good compromise, and our maintainer backports them immediately if he assumes such serious security issues → this can also mean that there can be multiple updates that introduce the same kernel (e.g., 6.9.14-100, 6.9.14-102), but subsequent versions with more/newer/better patches.
Anything about that might be reviewed by Justin (if it helps and you agree with him, I can temporarily push him to TL3 to get access here → but I think the magazine team can do that themselves, if I get this workflow right?)
General advise for our users: do your daily updates, now more then ever. If they feel to have security sensitive cases, maybe bi-daily with at least 6 hours in between (fedora-updates refreshes every 6 hours). I would not start with urging a larger audience with --refresh or so. On one hand, I see no big security advantage for average users of Fedora who ain’t aware of this themselves. On the other, if many read, that might cause noteworthy workloads on our infra.
Just some thoughts I had in mind after the recent days and after tackling some comments in Discourse.
I think I have none (I think) No worries, it’s fine I think summing up some feedback of the recent days and of such cases in general, as summed up in the two points above, is the best contribution I can currently do anyway
Sorry was just updating the link to the Security SIG docs as Making sure you're not a bot! is now live. I’ve saved and closed.
On @py0xc3’s point, I think I’ve covered both of those sections at a high level. A follow up from Justin on the specifics of backporting kernel fixes could be good, but that’s not my story to tell.
No worries, it’s fine 
I think summing up some feedback of the recent days and of such cases in general, as summed up in the two points above, is the best contribution I can currently do anyway