Date: Sun, 6 Nov 2016 21:50:35 +0200 From: Eyal Itkin <eyal.itkin@...il.com> To: secalert@...hat.com Cc: oss-security@...ts.openwall.com Subject: Re: [engineering.redhat.com #426293] CVE Request - firewire driver RCE - linux 4.8 Hello, The security patch was deployed yesterday in the official git repository of linux, after the fix was reviewed and approved by me. Therefore, CVE 2016-8633 can now be publicly disclosed. Commit id of the fix: 667121ace9dbafb368618dbabcf07901c962ddac https://git.kernel.org/linus/667121ace9db Commit id of the mainline merge: 03daa36f089f31002a2d0fb22088d3ebe3e28d98 https://git.kernel.org/linus/03daa36f089f Public disclosure details in my security blog: https://eyalitkin.wordpress.com/2016/11/06/cve- publication-cve-2016-8633/ P.S. I CCed oss-security since in a second CVE (not public yet) I was told by your colleague to send the publication request to oss-security. Thanks for your help, Eyal Itkin. On Thu, Nov 3, 2016 at 1:03 PM, Red Hat Product Security < secalert@...hat.com> wrote: > On Wed Nov 02 22:41:25 2016, eyal.itkin@...il.com wrote: > > Hello, > > > > In a short security audit i made to the firewire driver in the linux > > kernel, version 4.8, I found severe security vulnerabilities. > > > > After contacting security@...nel.org, the driver's contributors have > > confirmed my findings and have written a patch that fixes the > > vulnerability: > > > > http://git.kernel.org/cgit/linux/kernel/git/ieee1394/ > > linux1394.git/commit/?h=testing&id=ff89027279ec57d69797cbae7c6816 > 72f1dbea71 > > > > [...] > > Hello Eyal, > > Thank you for reporting this issue and for your extensive analysis. > Please, use > CVE-2016-8633 for this issue. We'll treat this issue as embargoed for now. > > Best Regards, > > -- > Adam Mariš / Red Hat Product Security > >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ