Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 20 Jan 2016 14:15:14 +0000
From: Wade Mealing <>
Subject: Re: 2015 kernel CVEs

On Wed, Jan 20, 2016 at 9:19 PM Hanno Böck <> wrote:

> On Tue, 19 Jan 2016 12:49:17 +0100
> Hanno Böck <> wrote:
> > > There was only one that might have come from a USB fuzzer.
> > > We probably should be testing those things better.
> >
> > This is surprising to me. There was a talk at black hat amsterdam in
> > 2014 about a project trying to do exactly this. They sounded like they
> > have dozends of crashers that just need to be sorted and reported
> > upstream. Here's the code [2] and the talk [3].
> It seems they have started reporting issues and got limited replies.
Disclaimer: I work for Red Hat Product Security group in the kernel sub
group with Vladis.

So from what I can see:

- The CVE has been assigned.
- A kernel has been built with a patch
- Communicated with upstream about accepting the patch.
- The issue is awaiting testing on the reporter since 24th of November last
- This is not the only bugs that has been reported and worked between Ralf
and Vladis ( )

I'm all about improving process, I imagine I would have done the same
steps.   What changes to the responses would need to be made to be less
limited ?  Understand that i'm not taking this personally and consider this
an opportunity for Red Hat Security to improve as a group.

If you want to take this off list, I'm cool with that.


Wade Mealing

Wade Mealing

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.