Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Sep 2017 09:35:33 +0200
From: Salvatore Bonaccorso <>
Subject: Re: Linux kernel CVEs not mentioned on oss-security

Hi Greg,

On Wed, Sep 27, 2017 at 03:04:24PM +0200, Greg KH wrote:
> On Wed, Sep 27, 2017 at 02:51:49PM +0200, Solar Designer wrote:
> > Besides, Greg focuses on the problem that some ignore the stable kernels
> > or the "curated and tested stream of fixes" that could be seen in there,
> > whereas another concern mentioned earlier in the thread is that the
> > stream is also incomplete because some security fixes are not marked as
> > such and not CC'ed to stable.  So that's two problems mentioned in the
> > thread, but vendor-sec was not / linux-distros is not related to either.
> For that second issue, I've not ever really run into any "known security
> fix" not being cc:ed to stable.  Do you have any known examples where I
> can go poke the maintainers to do better?
> We have plenty of the normal "bugfix was merged that a few years later
> turned out to be a 'security' issue, but no one realized it at the time"
> changes that get merged.  And to help combat that, we are doing more and
> more "smart mining"[1] of the kernel commits to try to catch patches
> that match those types of fixes and get them merged into the stable
> kernels.
> You can see the initial results of this work with the huge increase in
> patches being merged to the 4.9 and 4.4 stable kernels vs. any older
> stable kernel trees in the past.

This is defintively not "exhaustive", and not exactly what you are
pointing out. I thought it might be still of help, so I quickly looked
what we know in our kernel-sec repository tracking as well fixed which
are "needed" yet in 4.9:

upstream: (4.12-rc1) [e09e28671cda63e6308b31798b997639120e2a21]

is e.g. includedin 3.16.44 (a1141b19b23a0605d46f3fab63fd2d76207096c4),
3.2.89 (e39e64193a8a611d11d4c62579a7246c1af70d1c) but not in 4.9.

(afaics not Cc'ed to stable).


upstream: released (4.14-rc1) [51aa68e7d57e3217192d88ce90fd5b8ef29ec94f]

AFAICS, not Cc'ed to stable.

upstream: released (4.14-rc1) [8e75f7a7a00461ef6d91797a60b606367f6e344d]

The reaon that there is no Cc to stable might have been actually a
safety guard to not sent out the commit to a public list, but not

upstream: released (4.14-rc1) [3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb]

Hope this might be of help.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ