Date: Sat, 11 Nov 2017 16:02:09 +1300 From: Amos Jeffries <squid3@...enet.co.nz> To: oss-security@...ts.openwall.com Subject: Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver On 10/11/17 06:09, David A. Wheeler wrote: > I agree that many vulnerabilities don't have CVE ids. > You don't need to identify *all* vulnerabilities in old kernels... just enough to make > it easier to update the kernel than try to back-patch everything. > If manufacturers have to fix the CVEs to sell products, or to avoid massive returns, > that creates an *economic* reason for manufacturers to > begin responsibly maintain their products. The argument is knee-capped by CVE being slowly and incrementally assigned. The cost of incremental change is nowhere near as visible to vendors. They just patch issues one by one equally as slowly then blame the end users for not upgrading/patching firmware. When the firmware upgrade process itself is shrouded by lots of scary warnings and technical actions that prevent home users doing it. The stick doesn't work too well with vendors and distributors. Too much greed these days. And that means the carrot works better - we just have to figure out what the best carrot looks like. AYJ
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.