Date: Wed, 20 Jan 2016 14:15:14 +0000 From: Wade Mealing <wmealing@...il.com> To: kernel-hardening@...ts.openwall.com Subject: Re: 2015 kernel CVEs On Wed, Jan 20, 2016 at 9:19 PM Hanno Böck <hanno@...eck.de> wrote: > On Tue, 19 Jan 2016 12:49:17 +0100 > Hanno Böck <hanno@...eck.de> wrote: > > > > There was only one that might have come from a USB fuzzer. > > > We probably should be testing those things better. > > > > This is surprising to me. There was a talk at black hat amsterdam in > > 2014 about a project trying to do exactly this. They sounded like they > > have dozends of crashers that just need to be sorted and reported > > upstream. Here's the code  and the talk . > > > https://packetstormsecurity.com/files/133892/RedHat-Enterprise-Linux-7.1-Denial-Of-Service.html > > It seems they have started reporting issues and got limited replies. > > Disclaimer: I work for Red Hat Product Security group in the kernel sub group with Vladis. So from what I can see: - The CVE has been assigned. - A kernel has been built with a patch - Communicated with upstream about accepting the patch. - The issue is awaiting testing on the reporter since 24th of November last year. - This is not the only bugs that has been reported and worked between Ralf and Vladis ( https://goo.gl/5G1cnw ) I'm all about improving process, I imagine I would have done the same steps. What changes to the responses would need to be made to be less limited ? Understand that i'm not taking this personally and consider this an opportunity for Red Hat Security to improve as a group. If you want to take this off list, I'm cool with that. Thanks, Wade Mealing -- Thanks, Wade Mealing Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.