lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <2025040221-curtain-walnut-2540@gregkh>
Date: Wed, 2 Apr 2025 08:41:59 +0100
From: "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>
To: Siddh Raman Pant <siddh.raman.pant@...cle.com>
Cc: "cve@...nel.org" <cve@...nel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 1/2] published: CVE-2025-0927: Fix up JSON schema.

On Wed, Apr 02, 2025 at 07:16:33AM +0000, Siddh Raman Pant wrote:
> On Wed, Apr 02 2025 at 12:36:20 +0530, Greg Kroah-Hartman wrote:
> > On Wed, Apr 02, 2025 at 12:21:52PM +0530, Siddh Raman Pant wrote:
> > > It doesn't match the schema of other CVEs as it was not generated
> > > by bippy.
> > 
> > It was created by vulnogram for obvious reasons :(
> > 
> > Also, please cc: cve@...nel.org for stuff like this.
> 
> Okay, noted.
> 
> > 
> > > Fixed by hand / manually.
> > > 
> > > programFiles were added from the info in mbox.
> > 
> > So this did two different things?  Why does the layout matter here?
> > Eventually it will be created properly when someone gets the fix
> > upstream, I'm waiting for Canonical to do it as they are responsible for
> > fixing this mess at the moment, but don't seem to be responding to my
> > emails anymore...
> 
> Apparently, they fixed it in February and backported it:
> 
> https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?h=Ubuntu-6.8.0-54.56&id=09ad3b1e99befe042ae5219e4020eb54411d98ef
> 
> https://ubuntu.com/security/CVE-2025-0927

Yes, they did that without telling anyone, and assigned a CVE for it
which they are not allowed to do at all, which is why I had to
hand-create this one when it was transferred to kernel.org.  They should
be working to get that change upstream properly, but again, they seem to
be ignoring us totally at the moment :(

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ