| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 May 2024 17:59:34 +0200 From: Michal Hocko <mhocko@...e.com> To: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Cc: cve@...nel.org, linux-kernel@...r.kernel.org, linux-cve-announce@...r.kernel.org Subject: Re: CVE-2024-35906: drm/amd/display: Send DTBCLK disable message on first commit On Fri 24-05-24 17:22:24, Greg KH wrote: [...] > > > And people want to word-smith the text all the time already, so we just > > > default to using the changelog text as that's the most "neutral" and > > > public information out there (i.e. we don't have to worry about any sort > > > of data-retention or classification laws as the information is already > > > public in kernel changelog text.) > > > > This part I do not understand. What is wrong about a reasoning why > > something has been considered a CVE? E.g. something like > > CVE assigned because a potential WARN_ON is fixed and that could panic > > with panic_on_warn. Fixed by <URL_TO_LINUS_TREE> > > > > or > > CVE assigned because UAF is fixed and those can be generally used to > > construct more complex attacks. Fixed by <URL_TO_LINUS_TREE> > > > > etc. > > Doing the work to classify all of these in this manner isn't going to > happen by us, sorry, as it is not required by the CVE process, and > frankly, we are doing a load of work already here. I would really like the understand this position. You are doing the classification already, right? What does prevent you from making that a part of the process? Why wouldn't you like to help CVE consumers to understand that process better? -- Michal Hocko SUSE Labs
Powered by blists - more mailing lists