lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 20 Jun 2024 11:41:41 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Jan Beulich <jbeulich@...e.com>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org,
	"security@...project.org" <security@...project.org>,
	Juergen Gross <jgross@...e.com>
Subject: Re: CVE-2021-47573: xen/blkfront: harden blkfront against event
 channel storms

On Thu, Jun 20, 2024 at 11:32:49AM +0200, Jan Beulich wrote:
> On 20.06.2024 11:20, Greg Kroah-Hartman wrote:
> > On Thu, Jun 20, 2024 at 10:46:10AM +0200, Jan Beulich wrote:
> >> On 20.06.2024 10:18, Greg Kroah-Hartman wrote:
> >>> Also, the XSA-391 announcement doesn't say anything about them either,
> >>> is that intentional?
> >>
> >> If by announcement you mean the email sent out to xen-security-issues@...ts.xen.org,
> >> then the copy I'm looking at (v3, the only one having gone public afaict) clearly
> >> lists the three CVEs.
> > 
> > I'm looking at:
> > 	https://xenbits.xen.org/xsa/advisory-391.html
> > and I don't see a git id anywhere, where do you see the v3 announcement
> > saying that?
> 
> Hmm, okay, I then misunderstood your earlier reply: I was assuming you
> were looking for the CVE numbers associated with the XSA, as I thought
> that's what you need to know when deciding whether to issue one
> yourself. No, we didn't ever mention commit IDs anywhere, except when
> issuing XSAs after-the-fact (i.e. changes already having gone in earlier
> on). I guess we need to see whether that's feasible to do for Linux XSAs
> going forward. Yet then it may not be needed there, as we'd now ask you
> for CVE numbers in such cases anyway?

Yes, going forward it's not going to matter, I was just trying to verify
that when I assign ids for older stuff like this that I'm not messing up
in an obvious way :)

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ