| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025050945-prompter-aerobics-136f@gregkh> Date: Fri, 9 May 2025 15:37:24 +0200 From: Greg KH <gregkh@...uxfoundation.org> To: Attila Szasz <szasza.contact@...il.com> Cc: Theodore Ts'o <tytso@....edu>, Dmitry Vyukov <dvyukov@...gle.com>, cve@...nel.org, linux-cve-announce@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: REJECTED: CVE-2025-0927: heap overflow in the hfs and hfsplus filesystems with manually crafted filesystem On Fri, May 09, 2025 at 03:18:19PM +0200, Attila Szasz wrote: > > I would invite that security researchers > > file CVE's with the *product* as opposed to the upstream open source > > project. > > The CVE was originally filed for Ubuntu Linux ;) > Namely, cpe:2.3:o:canonical:ubuntu_linux. > > It was moved to kernel.org CNA territory due to some politics, There was no "politics" here, no other CNA is allowed to assign bugs against Linux without going through cve@...nel.org first. That's just how the CVE system works, Canonical should not have assigned that from the beginning. It happens at times, nothing special here, Oracle did it earlier this week as well, and we had to reassign a CVE over to us. Other CNAs have done it in the past too when they forgot that Linux was a CNA. > then it was rejected on the same day the bug was fixed upstream. That was based on the request of the filesystem maintainers, which we use as the final word on these things. > Since then, I saw Canonical folks mention that they wanted to > allocate a new one but needed to obfuscate the description so it no > longer sounds like a kernel bug. That's great to hear, please let me know when they do that so that we all can report them for violating their CNA agreement with CVE.org :) thanks, greg k-h
Powered by blists - more mailing lists