So CopyFail CVE-2026-31431 is a thing.

Reply to So CopyFail CVE-2026-31431 is a thing. on Fri, 08 May 2026 14:11:34 GMT

wagenseil@infosec.exchange — Fri, 08 May 2026 14:11:34 GMT

@wdormann guess it's time to finally update to the latest then

Reply to So CopyFail CVE-2026-31431 is a thing. on Wed, 06 May 2026 11:52:15 GMT

wdormann@infosec.exchange — Wed, 06 May 2026 11:52:15 GMT

@Lioh
Vulnerability coordination was clearly only an afterthought.

The copy.fail website included screen recordings of 4 Linux distributions being compromised. And at publication time had the audacity to state:

Most major distributions are shipping the fix now.

Narrator: No distribution had prepared a fix at publication time, as no distribution was even aware of the vulnerability.

The irony in all of this: Brian Pak (the Theori CEO) got his infosec fame as part of the PPP group at CMU, which is the home of the CERT/CC.
Bonus irony: Brian applied at the CERT/CC in 2011 for a position on the team that does vulnerability coordination when I was there.

So to spin things as The old model simply doesn’t scale anymore and our best intention was always to improve Linux security is simply laughable. The goal was a successful publicity stunt. Zero F's were given to the Linux users of the planet.

Reply to So CopyFail CVE-2026-31431 is a thing. on Wed, 06 May 2026 06:15:01 GMT

lioh@social.anoxinon.de — Wed, 06 May 2026 06:15:01 GMT

@wdormann as Greg has pointed out clearly, it is not the responsibility of the Kernel Security team to inform any distro. The funny thing is that Theori, instead of doing that, claims it is not possible anymore and that any distro should instead use (their?) AI tools to spot critical CVEs for the Linux Kernel. This is just a big marketing trick.

Reply to So CopyFail CVE-2026-31431 is a thing. on Wed, 06 May 2026 06:04:24 GMT

lioh@social.anoxinon.de — Wed, 06 May 2026 06:04:24 GMT

Reply to So CopyFail CVE-2026-31431 is a thing. on Tue, 05 May 2026 16:10:46 GMT

uecker@mastodon.social — Tue, 05 May 2026 16:10:46 GMT

@mormund Sure some of them would seem trustworthy. It might very well be impossible to create a perfect rule about who should or should not be on such a list. But this does not mean that one could not create some reasonable criteria and do a best effort. I disagree with "if you inform some of them you might as well inform everyone" Why should this be the case?

Reply to So CopyFail CVE-2026-31431 is a thing. on Tue, 05 May 2026 16:04:10 GMT

uecker@mastodon.social — Tue, 05 May 2026 16:04:10 GMT

@gregkh @icing I think the hostility "just a troll" is not necessary.

Reply to So CopyFail CVE-2026-31431 is a thing. on Tue, 05 May 2026 08:35:42 GMT

mormund@mastodon.social — Tue, 05 May 2026 08:35:42 GMT

@uecker In case you are sincere: Is Hannah Montana Linux trustworthy? You also forgot Alpine Linux, Suse and and and and in your list, all of which are "serious" distros. What about Android? They run on billions of devices. But they won't patch anyways. Do they get to be in the club? If you inform all of them you might as well inform everyone.

Reply to So CopyFail CVE-2026-31431 is a thing. on Tue, 05 May 2026 07:19:35 GMT

gregkh@social.kernel.org — Tue, 05 May 2026 07:19:35 GMT

@uecker @icing As is pointed, out, this is just a troll, but seriously, "worthy" isn't the issue. Again, you can not have one group "in" and one "out" without real reasons why anyone is "out".

And again, my point remains, "All early release lists leak like a sieve, otherwise why does your government allow it to exist."

Reply to So CopyFail CVE-2026-31431 is a thing. on Tue, 05 May 2026 06:11:45 GMT

uecker@mastodon.social — Tue, 05 May 2026 06:11:45 GMT

@icing @gregkh Sorry about that, but I find the "nothing could be done" and "responsible disclosure" is dead arguments fairly weak and I do not think that pointing this out is trolling. But let's stop here.

Reply to So CopyFail CVE-2026-31431 is a thing. on Tue, 05 May 2026 06:06:24 GMT

icing@chaos.social — Tue, 05 May 2026 06:06:24 GMT

@uecker

You are a troll, Mr Uecker.

@gregkh

Reply to So CopyFail CVE-2026-31431 is a thing. on Tue, 05 May 2026 06:03:27 GMT

uecker@mastodon.social — Tue, 05 May 2026 06:03:27 GMT

@icing @gregkh Would you consider Debian, arch, gentoo, Redhat, Ubuntu to be worthy?

Reply to So CopyFail CVE-2026-31431 is a thing. on Tue, 05 May 2026 06:00:42 GMT

uecker@mastodon.social — Tue, 05 May 2026 06:00:42 GMT

@krzk I think this is an unfair accusation. I was pointing out that the argument "it is unclear who to put on the list" by itself is a weak argument. I did not think that this needs further explanation as this seems obvious. Maybe there are good reason why it is difficult to maintain such a list, but the thread I commented on did not include those. In any case, I think it is not help to directly accuse people of "FUD" or misinformation in an evolving discussion.

Reply to So CopyFail CVE-2026-31431 is a thing. on Mon, 04 May 2026 22:06:20 GMT

zmanion@infosec.exchange — Mon, 04 May 2026 22:06:20 GMT

@gregkh @joshbressers @wdormann @Viss Because it exists and works better than the alternatives: telling nobody (and waiting to see who notices and when) or telling everybody all at once. If you have regulatory requirements to do or not do something, by all means, follow the regs. I'm not claiming any regs implement sound public CVD policy. Also when there is an external finder, the finder could choose to notify distros or follow other coordination paths, in addition to notifying kernel.org.

(I also understand that it's not quite as simple as just dropping a message on the distros list, and I read a Qualys message explaining that they no longer use distros.)

Reply to So CopyFail CVE-2026-31431 is a thing. on Mon, 04 May 2026 19:47:56 GMT

icing@chaos.social — Mon, 04 May 2026 19:47:56 GMT

@uecker

I think I should be the only one on that list. I‘ll then notify the right people who can demonstrate their worthiness.

Wait! That‘s already anthropic‘s business idea. Damn.

@gregkh

Reply to So CopyFail CVE-2026-31431 is a thing. on Mon, 04 May 2026 19:24:43 GMT

krzk@social.kernel.org — Mon, 04 May 2026 19:24:43 GMT

@uecker It's easy to make statements, when you do not want to back them with any sort of argument. Just make a statement and put final stop. Product Foo is insecure. Some car manufactured by Baz is not reliable. This argument is unconvincing. I can express that as well...

Reply to So CopyFail CVE-2026-31431 is a thing. on Mon, 04 May 2026 16:50:14 GMT

gregkh@social.kernel.org — Mon, 04 May 2026 16:50:14 GMT

@uecker @icing There are many reasons why this would not work. Again, step through the logic to prove it yourself.

Reply to So CopyFail CVE-2026-31431 is a thing. on Mon, 04 May 2026 16:14:43 GMT

uecker@mastodon.social — Mon, 04 May 2026 16:14:43 GMT

@krzk @icing @joshbressers @wdormann @Viss @gregkh I apologize for having expressed an opinion as a long term user and contribute to free software. I could, of course, try to explain a bit better why I have the impression that the free software world is a bit too much under the influence of certain tech companies and not as accessible to new contributors anymore, but your reaction tells me that there is probably not much point in having this discussion. (revised)

Reply to So CopyFail CVE-2026-31431 is a thing. on Mon, 04 May 2026 16:13:38 GMT

uecker@mastodon.social — Mon, 04 May 2026 16:13:38 GMT

@gregkh @icing @joshbressers @wdormann @Viss I would imagine that the Linux foundation could assemble some experts that together agree on some objective criteria and a process and based on this organizations / projects are accepted to the list. Seeing such self-organization working in many other areas, I would expect that this is possible. But maybe there are reasons why I am wrong.

Reply to So CopyFail CVE-2026-31431 is a thing. on Mon, 04 May 2026 14:30:48 GMT

krzk@social.kernel.org — Mon, 04 May 2026 14:30:48 GMT

@gregkh @uecker @Viss @icing @joshbressers @wdormann Heh, that's @uecker style of raising FUD, without actual arguments why it supposed to be unconvincing.
Here https://social.kernel.org/notice/B5gj02TzcQaDMcTpc8 supposedly individual (hobbyist) contributors have somehow obstacles from contributing just because some big companies are implementing changes matching their needs.

No facts or arguments why it would be more difficult for the hobbyist just statement "makes it more costly for others to contribute".

No facts why inability to create such list is unconvincing. It is just "unconvincing".

It's easy to discuss like that - object to anything, even to actual arguments, but without providing anything backing up one's statement.

Reply to So CopyFail CVE-2026-31431 is a thing. on Mon, 04 May 2026 14:07:42 GMT

gregkh@social.kernel.org — Mon, 04 May 2026 14:07:42 GMT

@uecker @icing @joshbressers @wdormann @Viss Why is it unconvincing? Who decides what group is on,or is not on, such a list? Your government? My governments? Their government? No government? Me? You? Someone else? And what is the criteria exactly for how?

See how it breaks down when it hits the real world?

As I have said many times, "All early-announce lists are a leak, otherwise why would your government allow it to exist?"

Reply to So CopyFail CVE-2026-31431 is a thing. on Mon, 04 May 2026 10:53:11 GMT

di4na@hachyderm.io — Mon, 04 May 2026 10:53:11 GMT

@wiert @ra6bit @ariadne @joshbressers @gregkh @wdormann @Viss @andrewnez i would love explanations of Patreons or Twitch subscription then.

Maaaaaaybe this is a useful lie-for-children and there are other mechanisms at play.

Maaaaaaaaaaayyyyyyyybe

Reply to So CopyFail CVE-2026-31431 is a thing. on Mon, 04 May 2026 10:17:51 GMT

wiert@mastodon.social — Mon, 04 May 2026 10:17:51 GMT

@ra6bit @ariadne @joshbressers @gregkh @wdormann @Viss @andrewnez @Di4na this indeed.

We (both as in we the people, and we the capitalistic rat race that is addicted to hypes) do not want to pay for things perceived as free until these things suddenly backfire.

Reply to So CopyFail CVE-2026-31431 is a thing. on Mon, 04 May 2026 06:56:21 GMT

dazo@infosec.exchange — Mon, 04 May 2026 06:56:21 GMT

@mjdxp

Most likely just a tiny pre-configured base Debian and RHEL images, with the smallest desktop environment available. Used to kick off a disposable VMs to test exploits in a safer and more controlled environment. Once the testing is done, the image for that particular VM is deleted.

I wouldn't expect a minute more than absolutely needed was spent to configure the desktop.

At least that's what I prefer to do.

Reply to So CopyFail CVE-2026-31431 is a thing. on Mon, 04 May 2026 04:55:23 GMT

ariadne@social.treehouse.systems — Mon, 04 May 2026 04:55:23 GMT

@wdormann can confirm. in alpine we had to figure out which stable kernels already had a backport. the disclosure was not well executed.