Backporting of Discover/KNS fixes

[Ben Cooksley]

On Tue, Mar 1, 2022 at 11:45 PM Ben Cooksley <bcooksley at kde.org> wrote:

> On Sat, Feb 19, 2022 at 10:11 PM Ben Cooksley <bcooksley at kde.org> wrote:
>
>> Dear Distributions,
>>
>
> Hi all,
>
>
>>
>> It has recently come to my attention that some distributions have missed
>> emails sent to this list recently regarding issues with Discover/KNS. As
>> these issues are rather critical I am now requiring all distributions to
>> explicitly acknowledge receipt of these emails and to declare the actions
>> they have taken. As a reminder, end-user systems without these patches are
>> participating in a distributed denial of service attack on KDE.org
>> infrastructure.
>>
>> The two emails which distributions need to keep in mind are:
>> - https://mail.kde.org/pipermail/distributions/2022-February/001140.html
>> - https://mail.kde.org/pipermail/distributions/2022-February/001142.html
>>
>> These patches should be backported to all versions currently in support.
>>
>> For those distributions that have already backported these patches -
>> thank you and apologies for the further inconvenience regarding this.
>>
>
> First, thanks to all those distributions which have acknowledged this
> email.
> I have noted the following as having responded:
> - KaOS
> - Adelie
> - Fedora
> - Slackware
> - Alpine
> - Exherbo
> - SUSE
>
> Your work on this is very much appreciated - thanks for the excellent
> service you've provided.
>
> The following distributions have failed to respond to this:
> - Aosc
> - Archlinux
> - Debian
> - FreeBSD
> - Gentoo
> - Mageia
> - Manjaro
> - Neon
> - NetBSD
> - OpenBSD
> - OpenMandriva
> - PLD
> - Solus
> - Homebrew
>

Thanks to those who have now responded and your packaging work.
Compared to when this incident began requests have now reduced noticeably.

Due to their failure to respond, I have now suspended pre-release package
access for the following distributions:
- Aosc
- Manjaro
- Mageia
- PLD
- Solus
- Homebrew

With respect to Ubuntu and Debian, these two distributions are requested to
advise when they have released the fixes.

I'm extremely disappointed in both Debian and Ubuntu for the delay they've
had in releasing these updates. Their conduct falls well short of what I
had expected.
In the future items such as this will likely need a CVE to be requested for
them (regardless of how appropriate that may be) to ensure these two
distributions act appropriately.


>
> If those distributions could please acknowledged the steps they have taken
> that would be much appreciated (I'd really prefer not to have to send
> individualised followups)
>
> Special mention in this goes to Ubuntu/Canonical, who currently have their
> release of the fixes held up in internal policies and workflows - despite
> representing half of the traffic being generated by this whole incident at
> one point in time.
> (and it looks like users won't see the patches from them for at least
> another week). Suffice to say, i'm extremely displeased with them.
>
>
>>
>> Thanks,
>> Ben Cooksley
>> KDE Sysadmin
>>
>
> Thanks,
> Ben
>

Regards,
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/distributions/attachments/20220307/9bea8263/attachment.htm>