Date: Thu, 18 Mar 2021 13:08:21 +0100 From: Greg KH <greg@...ah.com> To: oss-security@...ts.openwall.com Subject: Re: Re: CVE-2021-20219 Linux kernel: improper synchronization in flush_to_ldisc() can lead to DoS On Thu, Mar 18, 2021 at 05:03:53PM +0530, Rohit Keshri wrote: > Hello Team, > > > Given that the above CVE is not public in any database that I can find, > > one can only hope that the text will reflect what really is happening > > here. Rohit, why was this even published? > > > Again, stuff like this is just causing extra work by everyone else for > > no good reason that I can see. > > > I understand and apologize for the confusion. > > > This issue was reported for rhel7 to us (which was not seen in rhel8 > or later versions), but it also applies to kernel before this > ('3d63b7e4ae0dc') patch or kernel without this patch. > > > $ git tag --contains 3d63b7e4ae0dc > v4.18 > v4.18-rc3 > v4.18-rc4 > v4.18-rc5 > v4.18-rc6 > v4.18-rc7 > v4.18-rc8 > > .. `git describe` should be used instead for stuff like this: $ git describe --contains 3d63b7e4ae0dc v4.18-rc3~4^2~4 But none of that takes into account for the backporting of commits into the stable tree, you need a different tool for that, which many of us have our own. If you use that you will see that the above commit really is in lots of fixed kernel trees: $ id_found_in 3d63b7e4ae0dc5e02d28ddd2fa1f945defc68d81 3.16.61 3.18.115 4.4.140 4.9.112 4.14.54 4.17.5 4.18 So this means that your RHEL 7 kernel, which is based on 3.10, somehow missed picking this up when it was backported to the "newer" stable kernel trees almost 3 years ago. Is that a mistake in your kernel development process that should be resolved? > Since this issue was reported to us, identified as a security flaw, > and was fixed in the upstream, we decided to assign a CVE. But then you announce that CVE to the community with no context or information which only causes us to have to do lots of extra work. If it's Red Hat's goal to get some people in the Linux kernel community mad at them, it's working well. If it's Red Hat's goal to somehow help the community out with this type of announcement, it's not working at all. You failed to site the fix, when it was, who did the fix, who found the fix, and where it was actually fixed in, all things that people here actually would like to know. So, what really is your goal here? thanks, greg k-h
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.