| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Zc5PycMenLBYECAn@tiehlicka> Date: Thu, 15 Feb 2024 18:54:17 +0100 From: Michal Hocko <mhocko@...e.com> To: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Cc: corbet@....net, workflows@...r.kernel.org, linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org, security@...nel.org, Kees Cook <keescook@...omium.org>, Sasha Levin <sashal@...nel.org>, Lee Jones <lee@...nel.org> Subject: Re: [PATCH v3] Documentation: Document the Linux Kernel CVE process On Wed 14-02-24 09:00:30, Greg KH wrote: [...] > +Process > +------- > + > +As part of the normal stable release process, kernel changes that are > +potentially security issues are identified by the developers responsible > +for CVE number assignments and have CVE numbers automatically assigned > +to them. These assignments are published on the linux-cve-announce > +mailing list as announcements on a frequent basis. > + > +Note, due to the layer at which the Linux kernel is in a system, almost > +any bug might be exploitable to compromise the security of the kernel, > +but the possibility of exploitation is often not evident when the bug is > +fixed. Because of this, the CVE assignment team is overly cautious and > +assign CVE numbers to any bugfix that they identify. This > +explains the seemingly large number of CVEs that are issued by the Linux > +kernel team. Does the process focus only on assigning CVE numbers to a given upstream commit(s) withou any specifics of the actual security threat covered by the said CVE? -- Michal Hocko SUSE Labs
Powered by blists - more mailing lists