Today I have spent way too much time handling the https://copy.fail situation #copyfail
-
@jmm @alexanderkjall I think I mixed it up with the Linux kernel security team. But shouldn’t *that* team notify the distros?
@LabanSkoller @jmm @alexanderkjall No non I actually read that too from the FAQ on the Copyfail page yesterday. So. That was a lie?
-
Today I have spent way too much time handling the https://copy.fail situation #copyfail
The persons who discovered it didn't notify the distribution security list, so no patched kernels was available for people to install when they released it.
But they did have time to write an exploit, and thought it was a good idea to distribute that on day one, before vendors had time to provide patches.
I'm not very impressed with xint.io, I guess it's the marketing department that runs the show.
@alexanderkjall and strangely disclosed just before the 1st of may, like the mongobleed disclosed just before 1st of January.
Almost as a buzz strategy, pushing IT folks to work on weekends and public holidays.
Seriously, waiting next Monday, letting a weekend to all distros was so hard? -
@alexanderkjall That feels too complicated to leave to leave just to a (potentially 1st time) reporter. I would have hoped that at the very least the LK security team would track with the reporter and remind them of the need to do the other bits regularly. Especially on a nasty one!
@penguin42 @alexanderkjall I agree, having to report to 3 different lists, in a particular order, all with their own policies and methods of working, seems overly complex.
(the complexity may be necessary, but I can see why someone might miss out some steps)
-
Today I have spent way too much time handling the https://copy.fail situation #copyfail
The persons who discovered it didn't notify the distribution security list, so no patched kernels was available for people to install when they released it.
But they did have time to write an exploit, and thought it was a good idea to distribute that on day one, before vendors had time to provide patches.
I'm not very impressed with xint.io, I guess it's the marketing department that runs the show.
That's not what the disclosure timeline claims:
2026-03-23 Reported to Linux kernel security team
2026-03-24 Initial acknowledgment
2026-03-25 Patches proposed and reviewed
2026-04-01 Patch committed to mainline
2026-04-22 CVE-2026-31431 assigned
2026-04-29 Public disclosure (https://copy.fail/)Is this timeline in error?
-
@alexanderkjall That feels too complicated to leave to leave just to a (potentially 1st time) reporter. I would have hoped that at the very least the LK security team would track with the reporter and remind them of the need to do the other bits regularly. Especially on a nasty one!
@penguin42 I place some amount of blame with distro maintainers for not following up on patches released by the kernel team. I know it's not a thankful job, but it needs to be done.
-
@penguin42 I place some amount of blame with distro maintainers for not following up on patches released by the kernel team. I know it's not a thankful job, but it needs to be done.
@fedops @alexanderkjall In this case it doesn't seem to have been that simple; The backports to older kernels were only released upstream yesterday, and the CVE only got assigned a week or two back; so it's not clear if anyone new. I'd love to know if the kernel security guys told anyone there were some pending.
-
@fedops @alexanderkjall In this case it doesn't seem to have been that simple; The backports to older kernels were only released upstream yesterday, and the CVE only got assigned a week or two back; so it's not clear if anyone new. I'd love to know if the kernel security guys told anyone there were some pending.
@penguin42 yeah I understand the back ports problem but there was a patch in mainlinel. The timeline says:
2026-03-25 Patches proposed and reviewed
2026-04-01 Patch committed to mainlineSurely "proposed and reviewed" must have caught someone's interest?
The sad thing is a patch wasn't even necessary. Disabling the ALG function via bootparam was completely enough except in rare cases where crypto performance actually counts.
-
@penguin42 yeah I understand the back ports problem but there was a patch in mainlinel. The timeline says:
2026-03-25 Patches proposed and reviewed
2026-04-01 Patch committed to mainlineSurely "proposed and reviewed" must have caught someone's interest?
The sad thing is a patch wasn't even necessary. Disabling the ALG function via bootparam was completely enough except in rare cases where crypto performance actually counts.
@fedops @penguin42 I'm not part of any distro security team, so I can't really speak for any of them.
But Debian contains about 40000 source packages as of may 2026, it feels slightly unrealistic that the security team are supposed to track patches for all of those and understand which ones contain important security fixes.
If you find a vulnerability, register a website and build an exploit, then notifying the vendors beforehand feels like a quite small thing in comparison.
-
@penguin42 yeah I understand the back ports problem but there was a patch in mainlinel. The timeline says:
2026-03-25 Patches proposed and reviewed
2026-04-01 Patch committed to mainlineSurely "proposed and reviewed" must have caught someone's interest?
The sad thing is a patch wasn't even necessary. Disabling the ALG function via bootparam was completely enough except in rare cases where crypto performance actually counts.
@fedops @alexanderkjall To me it seems the delay in registering the CVE was the big problem here; if the CVE was registered, the distro people would have at least something to track (even if no one had mailed the distro list). Still it feels like each of the 3 components should be mailing the other.
-
@fedops @penguin42 I'm not part of any distro security team, so I can't really speak for any of them.
But Debian contains about 40000 source packages as of may 2026, it feels slightly unrealistic that the security team are supposed to track patches for all of those and understand which ones contain important security fixes.
If you find a vulnerability, register a website and build an exploit, then notifying the vendors beforehand feels like a quite small thing in comparison.
@alexanderkjall I agree and to be clear I have very low respect for that security outfit (and most others as well). Disclosure: I work in industrial cybersec.
However, arguably monitoring the kernel security is the most important thing. If you have a security team in your distro crew and they're not taking a keen interest in kernel security, what are they really doing?
That being said a simple email to the 15 or so distros that matter would not have been too big an ask.
@penguin42 -
Today I have spent way too much time handling the https://copy.fail situation #copyfail
The persons who discovered it didn't notify the distribution security list, so no patched kernels was available for people to install when they released it.
But they did have time to write an exploit, and thought it was a good idea to distribute that on day one, before vendors had time to provide patches.
I'm not very impressed with xint.io, I guess it's the marketing department that runs the show.
-
@alexanderkjall I agree and to be clear I have very low respect for that security outfit (and most others as well). Disclosure: I work in industrial cybersec.
However, arguably monitoring the kernel security is the most important thing. If you have a security team in your distro crew and they're not taking a keen interest in kernel security, what are they really doing?
That being said a simple email to the 15 or so distros that matter would not have been too big an ask.
@penguin42 -
@alexanderkjall @penguin42 fwiw I agree with gkh:
https://social.kernel.org/objects/e5b49e64-befb-43a8-aab3-33c7f3705a99@fedops @alexanderkjall Oh, that says no one contacted the security team - which contradicts what it said in the blog of the guys who found it.
-
@fedops @alexanderkjall Oh, that says no one contacted the security team - which contradicts what it said in the blog of the guys who found it.
@penguin42 well he says "they told us", which means the kernel team.
@alexanderkjall -
@penguin42 well he says "they told us", which means the kernel team.
@alexanderkjall@fedops @alexanderkjall Oh OK, I see, yeh they told them about the bug, but didn't tell them about the announcement. Yeh, that sucks.
-
Today I have spent way too much time handling the https://copy.fail situation #copyfail
The persons who discovered it didn't notify the distribution security list, so no patched kernels was available for people to install when they released it.
But they did have time to write an exploit, and thought it was a good idea to distribute that on day one, before vendors had time to provide patches.
I'm not very impressed with xint.io, I guess it's the marketing department that runs the show.
@alexanderkjall "The persons who discovered it didn't notify the distribution security list, so no patched kernels was available for people to install when they released it."
Sorry, but it is not the persons responsibility to look out whom to contact.
As per the linked page, he reported to Linux kernel security team on May 23nd.In my opinion it is responsibility of distributions to be in the loop of kernel security team.
-
@alexanderkjall "The persons who discovered it didn't notify the distribution security list, so no patched kernels was available for people to install when they released it."
Sorry, but it is not the persons responsibility to look out whom to contact.
As per the linked page, he reported to Linux kernel security team on May 23nd.In my opinion it is responsibility of distributions to be in the loop of kernel security team.
@asltf Since the kernel have the policy "every bug gets a CVE" ( https://docs.kernel.org/process/cve.html ), that seems like a full time job for multiple people.
They published 200 CVE's since 2026-04-24: https://lore.kernel.org/linux-cve-announce/topics_new.html
I guess the security team of your favorite linux distribution would appreciate some support.
-
That's not what the disclosure timeline claims:
2026-03-23 Reported to Linux kernel security team
2026-03-24 Initial acknowledgment
2026-03-25 Patches proposed and reviewed
2026-04-01 Patch committed to mainline
2026-04-22 CVE-2026-31431 assigned
2026-04-29 Public disclosure (https://copy.fail/)Is this timeline in error?
@simonzerafa @alexanderkjall Disclosure to Linux, but not to the distros.
-
That's not what the disclosure timeline claims:
2026-03-23 Reported to Linux kernel security team
2026-03-24 Initial acknowledgment
2026-03-25 Patches proposed and reviewed
2026-04-01 Patch committed to mainline
2026-04-22 CVE-2026-31431 assigned
2026-04-29 Public disclosure (https://copy.fail/)Is this timeline in error?
@simonzerafa @alexanderkjall How do distros know that there is a vulnerability in the wild? -
Today I have spent way too much time handling the https://copy.fail situation #copyfail
The persons who discovered it didn't notify the distribution security list, so no patched kernels was available for people to install when they released it.
But they did have time to write an exploit, and thought it was a good idea to distribute that on day one, before vendors had time to provide patches.
I'm not very impressed with xint.io, I guess it's the marketing department that runs the show.
@alexanderkjall they also had time to obfuscate their exploit.
