| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <D06F40E5-0DBC-4FF2-BAF5-2373BDF3815C@kernel.org> Date: Thu, 29 Feb 2024 07:08:06 -0800 From: Kees Cook <kees@...nel.org> To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Michal Hocko <mhocko@...e.com> CC: Kees Cook <keescook@...omium.org>, cve@...nel.org, linux-kernel@...r.kernel.org Subject: Re: CVE-2023-52451: powerpc/pseries/memhp: Fix access beyond end of drmem array On February 29, 2024 6:18:36 AM PST, Greg Kroah-Hartman <gregkh@...uxfoundation.org> wrote: >As part of the requirement to be a CNA, we have to announce everything >that we think is a potential vulnerability, severity not be judged at > [...] >Again, none of this has anything to do with "severity", it only is an >identifier that says "this fixes a vulnerability". The language here can perhaps be improved for better understanding by folks since "CVE" and "vulnerability" can mean different things to different people. I would say "this fixes a weakness". CVEs are for anything deemed a "weakness"[1]. It doesn't need to rise to the level of what many people would consider a "vulnerability". (Modern attacks traditionally chain many weaknesses together to form an exploit, some of which look harmless when examined in isolation.) I find it helps to keep in mind the "CIA" acronym of what makes up a security weakness: "negative impact to Confidentiality, Integrity, or Availability". (Not to be confused with the US Gov intelligence org with the name acronym, ironically.) -Kees [1] https://nvd.nist.gov/vuln -- Kees Cook
Powered by blists - more mailing lists