lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 14 Feb 2024 07:43:32 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Kees Cook <keescook@...omium.org>
Cc: corbet@....net, workflows@...r.kernel.org, linux-doc@...r.kernel.org,
	linux-kernel@...r.kernel.org, security@...nel.org,
	Sasha Levin <sashal@...nel.org>, Lee Jones <lee@...nel.org>
Subject: Re: [PATCH] Documentation: Document the Linux Kernel CVE process

On Tue, Feb 13, 2024 at 02:35:24PM -0800, Kees Cook wrote:
> On Tue, Feb 13, 2024 at 07:48:12PM +0100, Greg Kroah-Hartman wrote:
> > +No CVEs will be assigned for unfixed security issues in the Linux
> > +kernel, assignment will only happen after a fix is available as it can
> > +be properly tracked that way by the git commit id of the original fix.
> 
> This seems at odds with the literal definition of what CVEs are:
> _vulnerability_ enumeration. This is used especially during the
> coordination of fixes; how is this meant to interact with embargoed
> vulnerability fixing?

Yes, this is totally wrong, it was the original first draft of the
document, that I did on my workstation, and then went on the road for 3+
weeks and I never sycned up when I got home with the updated version
that is on my laptop.  The updated version addresses this, as it was
rightly pointed out by the CVE group that this is not how a CNA is
supposed to only work.

Yet another reason why keeping changes private is a major pain, not only
for security ones!  :(

Let me send out the proper one after my morning coffee has kicked in and
I resolve the differences, and make the grammer fixes that Randy pointed
out...

> Outside of that, I welcome the fire-hose of coming identifiers! I think
> this will more accurately represent the number of fixes landing in
> stable trees and how important it is for end users to stay current on
> a stable kernel.

Agreed.

> Reviewed-by: Kees Cook <keescook@...omium.org>

Many thanks for the review!

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ