Security Response Question

[Azahorscak]

Hi, it seems to me that the response to this issue here was not appropriate. Could you help clarify your recommendations and/or your security policy?

The issues with this I see are two:

1. This person was not disclosing a security vulnerability they found in bottlerocket, they were asking for guidance on addressing a publically disclosed issue in the linux kernel. Having a place to track the progress of this type of change as it relates to bottlerocket, in this repository or elsewhere if clarified, is valuable to users of bottlerocket. This specific instance the issue did not violate the security policy IMO and it remains an issue.
2. For these types of issues, specifically having a place for the community to discuss guidance on mitigation options should be clear and in this repository and not locked (even if the end result is a recommendation against a specific mitigation, or antectdotal).

I would love to hear your thoughts on this and appreciate any feedback. I understand that issues might not be the correct place and cause maintainers notifications fatigue. My main concern is that the community cannot continue to comment on the issue that was closed and has no guidance on where to go next.

Potential solution:

• Explicitly stating that this type of discussion should be only in a github "discussion" on the security page would be sufficient IMO.

[diarmaidmcmanus]

I agree. When an unpatched kernel issue is discovered, I look to Bottlerocket subject matter experts for advice on impact or mitigations. The discussion the week before was a valuable place to share insight into an emerging risk until patches became available.

I second your potential solution. I only thought of checking the 'discussions' tab today. It's unclear where these discussions are supposed to take place. A colleague determined on Friday that this appears unexploitable (in our environment) in a default Ubuntu 24.04 container running on Bottlerocket 1.60. I had nowhere to share this insight, nor learn about potential conditions where people did manage to get this exploit working.

[diarmaidmcmanus]

It appears CVE-2026-43284 (IPSec ESP module vulnerability) has been patched in the Linux Kernel and some operating systems have made releases.

CVE-2026-43500 (RxRPC) is as of yet unpatched fixed also, unclear about releases.

I can't find any details on expected release of an updated kernel for Bottlerocket OS just yet.

[diarmaidmcmanus]

Change log updated, release is expected around Monday May 18. Many thanks to the Bottlerocket team.

https://github.com/bottlerocket-os/bottlerocket/blob/develop/CHANGELOG.md