Date: Mon, 25 Sep 2017 21:50:59 +0000 From: "Priedhorsky, Reid" <reidpr@...l.gov> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: Linux kernel CVEs not mentioned on oss-security Hello all, Debian recently issued DSA-3981-1, which announced fixes for quite a few CVEs affecting the Linux kernel. For five of these, I could find no evidence of any mention on oss-security: CVE-2017-10661 CVE-2017-11600 CVE-2017-12146 CVE-2017-12154 CVE-2017-14156 Another CVE not in Debian’s announcement also seems not to have been mentioned here: CVE-2016-10200 Of these six, three are possible privilege escalations (CVE-2016-10200, CVE-2017-10661, CVE-2017-12146). One was reported on oss-security, but not by CVE (CVE-2017-14156); the subject was “Linux kernel: driver/video/fbdev/aty/atyfb_base.c: atyfb_ioctl() stack infoleak”. I looked for mentions with the Google query ‘"CVE-xxxx-yyyyy" oss-security’ as well as in my own database that I maintain directly from list postings. For CVEs that do appear here on the list, the posting is usually the first Google hit. I don’t believe any of the above are recent enough not to have been announced. This is related to previous discussions here about CVE requests moving from this list to a web form. IIRC, a key hypothesis was that CVE requestors would forward notices to oss-security. Above, I provide evidence that this is not happening consistently for Linux kernel vulnerabilities. My questions: 1. Is oss-security’s coverage of security issues in open-source software intended to be comprehensive? If so, this appears not to be true for the Linux kernel. 2. Is there another source of comprehensive coverage of vulnerabilities in the Linux kernel, including but not necessarily limited to all CVEs issued for it? I appreciate everyone’s time and effort on all this stuff. This post should not be interpreted as singling out Debian for criticism. Thanks, Reid
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ