[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <2024062001-jab-eliminate-5198@gregkh>
Date: Thu, 20 Jun 2024 11:41:41 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Jan Beulich <jbeulich@...e.com>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org,
"security@...project.org" <security@...project.org>,
Juergen Gross <jgross@...e.com>
Subject: Re: CVE-2021-47573: xen/blkfront: harden blkfront against event
channel storms
On Thu, Jun 20, 2024 at 11:32:49AM +0200, Jan Beulich wrote:
> On 20.06.2024 11:20, Greg Kroah-Hartman wrote:
> > On Thu, Jun 20, 2024 at 10:46:10AM +0200, Jan Beulich wrote:
> >> On 20.06.2024 10:18, Greg Kroah-Hartman wrote:
> >>> Also, the XSA-391 announcement doesn't say anything about them either,
> >>> is that intentional?
> >>
> >> If by announcement you mean the email sent out to xen-security-issues@...ts.xen.org,
> >> then the copy I'm looking at (v3, the only one having gone public afaict) clearly
> >> lists the three CVEs.
> >
> > I'm looking at:
> > https://xenbits.xen.org/xsa/advisory-391.html
> > and I don't see a git id anywhere, where do you see the v3 announcement
> > saying that?
>
> Hmm, okay, I then misunderstood your earlier reply: I was assuming you
> were looking for the CVE numbers associated with the XSA, as I thought
> that's what you need to know when deciding whether to issue one
> yourself. No, we didn't ever mention commit IDs anywhere, except when
> issuing XSAs after-the-fact (i.e. changes already having gone in earlier
> on). I guess we need to see whether that's feasible to do for Linux XSAs
> going forward. Yet then it may not be needed there, as we'd now ask you
> for CVE numbers in such cases anyway?
Yes, going forward it's not going to matter, I was just trying to verify
that when I assign ids for older stuff like this that I'm not messing up
in an obvious way :)
thanks,
greg k-h
Powered by blists - more mailing lists