Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 19 Mar 2021 16:37:43 -0400
From: Sasha Levin <sashal@...nel.org>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE-2021-20219 Linux kernel: improper
 synchronization in flush_to_ldisc() can lead to DoS

Hey Brad,

I'll let Greg respond on your concerns with him, I've removed those
references to him from my reply.

On Fri, Mar 19, 2021 at 03:58:25PM -0400, Brad Spengler wrote:
>Hi Sasha,
>
>> I'm really not sure how to respond to this. I don't own upstream, my
>> name isn't Linus, Greg, nor do I maintain a major subsystem. I don't
>> have any control over how upstream commits look like.
>
>Both you and Greg certainly have control over stable kernel commit
>messages (it's the same ability you use to add the upstream commit ID).

So we do, but traditionally I haven't changed the commit message. I also
don't have an additional source of information when I queue up the
commits, so I'm not sure how my ability to edit stable commit messages
helps here.

>> Great, let's work together on making it better, but it's been following
>> the same pattern for quite a while now.
>
>I think both you and Greg are exaggerating the level of "extra work" this
>temporary blip creates for you -- with the exception of the RH backport
>issue, it was not difficult at all for me to determine what issue was
>being discussed, without even having to plug the CVEs into bugzilla.redhat.com
>which produces:
>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-35519
>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-3428

So this CVE link above is exactly what I referred to: how do you go from
CVE-2021-3428 to the commit in question?

-- 
Thanks,
Sasha

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.