| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025093058-iciness-talisman-8a9f@gregkh> Date: Tue, 30 Sep 2025 13:22:30 +0200 From: "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org> To: Siddh Raman Pant <siddh.raman.pant@...cle.com> Cc: "cve@...nel.org" <cve@...nel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> Subject: Re: CVE-2025-38495: HID: core: ensure the allocated report buffer can contain the reserved report ID On Tue, Sep 30, 2025 at 11:09:50AM +0000, Siddh Raman Pant wrote: > On Tue, Sep 30 2025 at 16:29:03 +0530, gregkh@...uxfoundation.org > wrote: > > Then the second change is the one that gets the CVE. Any "previous" > > commits in a series that were preparing for the real fix are not called > > out. As each CVE entry says, do NOT cherry-pick, but rather always take > > all of the commits in the stable release. > > IMO it won't be nice to change an identifier now and a new ID should be > assigned instead. I do not understand. We are not going to change anything here... Let's start over. Is the CVE referenced here in the Subject line, and the git id it references not valid? Does it not fix a vulnerability as described? Is there some other commit that also fixes a vulnerability that should also be assigned to a new CVE? Or is something else wrong here? thanks, greg k-h
Powered by blists - more mailing lists