[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Zc5ZpB6jsuTKmhv5@tiehlicka>
Date: Thu, 15 Feb 2024 19:36:20 +0100
From: Michal Hocko <mhocko@...e.com>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: corbet@....net, workflows@...r.kernel.org, linux-doc@...r.kernel.org,
linux-kernel@...r.kernel.org, security@...nel.org,
Kees Cook <keescook@...omium.org>, Sasha Levin <sashal@...nel.org>,
Lee Jones <lee@...nel.org>
Subject: Re: [PATCH v3] Documentation: Document the Linux Kernel CVE process
On Thu 15-02-24 19:20:09, Greg KH wrote:
> On Thu, Feb 15, 2024 at 06:54:17PM +0100, Michal Hocko wrote:
> > On Wed 14-02-24 09:00:30, Greg KH wrote:
> > [...]
> > > +Process
> > > +-------
> > > +
> > > +As part of the normal stable release process, kernel changes that are
> > > +potentially security issues are identified by the developers responsible
> > > +for CVE number assignments and have CVE numbers automatically assigned
> > > +to them. These assignments are published on the linux-cve-announce
> > > +mailing list as announcements on a frequent basis.
> > > +
> > > +Note, due to the layer at which the Linux kernel is in a system, almost
> > > +any bug might be exploitable to compromise the security of the kernel,
> > > +but the possibility of exploitation is often not evident when the bug is
> > > +fixed. Because of this, the CVE assignment team is overly cautious and
> > > +assign CVE numbers to any bugfix that they identify. This
> > > +explains the seemingly large number of CVEs that are issued by the Linux
> > > +kernel team.
> >
> > Does the process focus only on assigning CVE numbers to a given upstream
> > commit(s) withou any specifics of the actual security threat covered by
> > the said CVE?
>
> Outside of the git commit text, no, we are not going to be adding
> anything additional to the report, UNLESS someone wants to add
> additional text to it, and then we will be glad to update a CVE entry
> with the additional information.
OK, so what is the point of having CVE assigned to such a commit without
any addional information which is already referenced by the kernel sha?
What is the actual added value of that CVE?
> Here's an example of what the CVE announcement is going to look like for
> a "test" that we have been doing for our scripts
> https://lore.kernel.org/linux-cve-announce/2024021353-drainage-unstuffed-a7c0@gregkh/T/#u
Thanks this gave me some idea. One worrying part is
: Please note that only supported kernel versions have fixes applied to
: them. For a full list of currently supported kernel versions, please
: see https://www.kernel.org/
>From the above it is not really clear "supported by _whom_". Because I
am pretty sure there are _fully_ supported kernels outside of that list
which are actively maintained.
--
Michal Hocko
SUSE Labs
Powered by blists - more mailing lists