Date: Thu, 28 Sep 2017 16:34:20 +0200 From: Greg KH <greg@...ah.com> To: oss-security@...ts.openwall.com Subject: Re: Linux kernel CVEs not mentioned on oss-security On Thu, Sep 28, 2017 at 09:35:33AM +0200, Salvatore Bonaccorso wrote: > Hi Greg, > > On Wed, Sep 27, 2017 at 03:04:24PM +0200, Greg KH wrote: > > On Wed, Sep 27, 2017 at 02:51:49PM +0200, Solar Designer wrote: > > > Besides, Greg focuses on the problem that some ignore the stable kernels > > > or the "curated and tested stream of fixes" that could be seen in there, > > > whereas another concern mentioned earlier in the thread is that the > > > stream is also incomplete because some security fixes are not marked as > > > such and not CC'ed to stable. So that's two problems mentioned in the > > > thread, but vendor-sec was not / linux-distros is not related to either. > > > > For that second issue, I've not ever really run into any "known security > > fix" not being cc:ed to stable. Do you have any known examples where I > > can go poke the maintainers to do better? > > > > We have plenty of the normal "bugfix was merged that a few years later > > turned out to be a 'security' issue, but no one realized it at the time" > > changes that get merged. And to help combat that, we are doing more and > > more "smart mining" of the kernel commits to try to catch patches > > that match those types of fixes and get them merged into the stable > > kernels. > > > > You can see the initial results of this work with the huge increase in > > patches being merged to the 4.9 and 4.4 stable kernels vs. any older > > stable kernel trees in the past. > > This is defintively not "exhaustive", and not exactly what you are > pointing out. I thought it might be still of help, so I quickly looked > what we know in our kernel-sec repository tracking as well fixed which > are "needed" yet in 4.9: > > CVE-2017-0605: > -------------- > https://security-tracker.debian.org/tracker/CVE-2017-0605 > upstream: (4.12-rc1) [e09e28671cda63e6308b31798b997639120e2a21] > > is e.g. includedin 3.16.44 (a1141b19b23a0605d46f3fab63fd2d76207096c4), > 3.2.89 (e39e64193a8a611d11d4c62579a7246c1af70d1c) but not in 4.9. > > (afaics not Cc'ed to stable). Ouch, thanks for letting me know, that's not good, we don't want to get the trees out of sync for obvious reasons. > CVE-2017-12154: > --------------- > https://security-tracker.debian.org/tracker/CVE-2017-12154 > from https://marc.info/?l=oss-security&m=150640182829622&w=2 > > upstream: released (4.14-rc1) [51aa68e7d57e3217192d88ce90fd5b8ef29ec94f] > > AFAICS, not Cc'ed to stable. > > CVE-2017-14156: > --------------- > https://security-tracker.debian.org/tracker/CVE-2017-14156 > upstream: released (4.14-rc1) [8e75f7a7a00461ef6d91797a60b606367f6e344d] > > CVE-2017-1000252: > ----------------- > https://security-tracker.debian.org/tracker/CVE-2017-1000252 > The reaon that there is no Cc to stable might have been actually a > safety guard to not sent out the commit to a public list, but not > sure. > > upstream: released (4.14-rc1) [3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb] > > Hope this might be of help. Yes, many thanks, I'll add these to the list of things to queue up soon. thanks again, greg k-h
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ