lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 10 Dec 2013 18:12:13 -0800
From:	Greg KH <gregkh@...uxfoundation.org>
To:	Dave Chinner <david@...morbit.com>
Cc:	Josh Boyer <jwboyer@...oraproject.org>,
	Luis Henriques <luis.henriques@...onical.com>,
	Kees Cook <keescook@...gle.com>,
	Dwight Engen <dwight.engen@...cle.com>,
	LKML <linux-kernel@...r.kernel.org>,
	Brian Foster <bfoster@...hat.com>,
	Dave Chinner <dchinner@...hat.com>,
	Gao feng <gaofeng@...fujitsu.com>, Ben Myers <bpm@....com>,
	xfs@....sgi.com, "stable@...r.kernel.org" <stable@...r.kernel.org>
Subject: Re: XFS security fix never sent to -stable?

On Wed, Dec 11, 2013 at 01:00:07PM +1100, Dave Chinner wrote:
> On Tue, Dec 10, 2013 at 08:10:51PM -0500, Josh Boyer wrote:
> > On Tue, Dec 10, 2013 at 8:03 PM, Dave Chinner <david@...morbit.com> wrote:
> > > Security processes are not something that should be hidden away in
> > > it's own private corner - if there's a problem upstream needs to
> > > take action on, then direct contact with upstream is necessary. We
> > > need to know about security issues - even ones that are classified
> > > post-commit as security issues - so we are operating with full
> > > knowledge of the issues in our code and the impact of our fixes....
> > 
> > Agreed.  I'm going to interpret your comments at being directed to the
> > general audience because otherwise you're just shooting the messenger
> > :).
> 
> Right, they are not aimed at you - they are aimed at those on the
> security side of the fence. I'm tired of learning about CVEs in XFS
> code through chinese whispers and/or luck.

CVEs for the kernel are almost always "assigned" after the problem is
fixed, or when people "notice" something was changed upstream.  At that
point, there's no need for the original committer to be notified, as
there's nothing to do.

Anyway, I understand your frustration about CVEs, I don't like them much
either, but some people do, so let them deal with them, and don't give
them a second thought.

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ