Date: Thu, 28 Sep 2017 09:35:33 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: Linux kernel CVEs not mentioned on oss-security Hi Greg, On Wed, Sep 27, 2017 at 03:04:24PM +0200, Greg KH wrote: > On Wed, Sep 27, 2017 at 02:51:49PM +0200, Solar Designer wrote: > > Besides, Greg focuses on the problem that some ignore the stable kernels > > or the "curated and tested stream of fixes" that could be seen in there, > > whereas another concern mentioned earlier in the thread is that the > > stream is also incomplete because some security fixes are not marked as > > such and not CC'ed to stable. So that's two problems mentioned in the > > thread, but vendor-sec was not / linux-distros is not related to either. > > For that second issue, I've not ever really run into any "known security > fix" not being cc:ed to stable. Do you have any known examples where I > can go poke the maintainers to do better? > > We have plenty of the normal "bugfix was merged that a few years later > turned out to be a 'security' issue, but no one realized it at the time" > changes that get merged. And to help combat that, we are doing more and > more "smart mining" of the kernel commits to try to catch patches > that match those types of fixes and get them merged into the stable > kernels. > > You can see the initial results of this work with the huge increase in > patches being merged to the 4.9 and 4.4 stable kernels vs. any older > stable kernel trees in the past. This is defintively not "exhaustive", and not exactly what you are pointing out. I thought it might be still of help, so I quickly looked what we know in our kernel-sec repository tracking as well fixed which are "needed" yet in 4.9: CVE-2017-0605: -------------- https://security-tracker.debian.org/tracker/CVE-2017-0605 upstream: (4.12-rc1) [e09e28671cda63e6308b31798b997639120e2a21] is e.g. includedin 3.16.44 (a1141b19b23a0605d46f3fab63fd2d76207096c4), 3.2.89 (e39e64193a8a611d11d4c62579a7246c1af70d1c) but not in 4.9. (afaics not Cc'ed to stable). CVE-2017-12154: --------------- https://security-tracker.debian.org/tracker/CVE-2017-12154 from https://marc.info/?l=oss-security&m=150640182829622&w=2 upstream: released (4.14-rc1) [51aa68e7d57e3217192d88ce90fd5b8ef29ec94f] AFAICS, not Cc'ed to stable. CVE-2017-14156: --------------- https://security-tracker.debian.org/tracker/CVE-2017-14156 upstream: released (4.14-rc1) [8e75f7a7a00461ef6d91797a60b606367f6e344d] CVE-2017-1000252: ----------------- https://security-tracker.debian.org/tracker/CVE-2017-1000252 The reaon that there is no Cc to stable might have been actually a safety guard to not sent out the commit to a public list, but not sure. upstream: released (4.14-rc1) [3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb] Hope this might be of help. Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ