lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 15 Feb 2024 19:24:23 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Jiri Kosina <jikos@...nel.org>
Cc: corbet@....net, workflows@...r.kernel.org, linux-doc@...r.kernel.org,
	linux-kernel@...r.kernel.org, security@...nel.org,
	linux@...mhuis.info, Kees Cook <keescook@...omium.org>,
	Konstantin Ryabitsev <konstantin@...uxfoundation.org>,
	Krzysztof Kozlowski <krzk@...nel.org>,
	Lukas Bulwahn <lukas.bulwahn@...il.com>,
	Sasha Levin <sashal@...nel.org>, Lee Jones <lee@...nel.org>
Subject: Re: [PATCH v4] Documentation: Document the Linux Kernel CVE process

On Thu, Feb 15, 2024 at 06:38:05PM +0100, Jiri Kosina wrote:
> On Thu, 15 Feb 2024, Greg Kroah-Hartman wrote:
> 
> > The Linux kernel project now has the ability to assign CVEs to fixed
> > issues, so document the process and how individual developers can get a
> > CVE if one is not automatically assigned for their fixes.
> 
> There is still one thing that's not clear to me with this new process, and 
> that's how embargos are going to be handled.
> 
> Currently, the process is broken as well, but at least understood by 
> everybody.
> 
> - issues are reported to security@...nel.org. No CVE assigned, 7days 
>   embargo, then fix gets pushed out
> 
> - at some point (in parallel, before, or after the above), the issue gets 
>   reported to linux-distros@. CVE gets assigned, and downstreams start 
>   integrating the fix (once available) to their codebase.

linux-distros is not allowed to assign a CVE id for a Linux kernel fix,
so this will not happen here anymore.  They HAVE to contact
cve@...nel.org in order to do this as no one else is allowed to create a
CVE entry for Linux unless some very extreem things happen that I do not
plan on ever having happen to us (see the CNA rules for details.)

> - embargo is lifted, fixes are released with proper CVE reference
> 
> How is the new process going to look like? Please keep in mind that 
> linux-stable is (by far!) *not* the only downstream of Linux Kernel 
> project.

I agree, and again, linux-distros will not be assigning CVEs for issues
that affect the currently supported kernels as listed on kernel.org, nor
will any other group, so this shouldn't be an issue as we can coordinate
properly if the above senario happens.

> We've had this discussion in other contexts already, but I whole-heartedly 
> believe that it's in no way in the Linux Kernel project's interest to kill 
> those other downstreams (read: Linux distros) (*) ... or is it?

I have no interest in doing anything about linux-distros, just that they
are not allowed to assign a new CVE for Linux anymore as of Tuesday this
week, and neither is any other CNA, just like they are not allowed to
assign a CVE for Windows today, no difference at all.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ