Date: Tue, 26 Oct 2021 14:30:18 +0200 From: Solar Designer <solar@...nwall.com> To: Lin Horse <kylin.formalin@...il.com> Cc: oss-security@...ts.openwall.com Subject: Re: CVE-2021-3760: Linux kernel: Use-After-Free vulnerability of ndev->rf_conn_info object On Tue, Oct 26, 2021 at 08:14:20PM +0800, Lin Horse wrote: > The commit for the fix is 1b1499a817c90fd1ce9453a2c98d2a01cca0e775 (link: > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1b1499a817c90fd1ce9453a2c98d2a01cca0e775 > ) Thanks. Looks like the same fix you already shared on September 1. I also found this was (first?) made public on Linux kernel mailing lists (linux-nfc, netdev, linux-kernel) on October 7 by someone from Canonical (and Lin was CC'ed): https://lists.openwall.net/netdev/2021/10/07/239 Canonical didn't break the embargo there because it was supposed to be already over by then, however I think it was their opportunity to remind about the need to make the oss-security posting, or to make the posting themselves. Speaking of which, I think SUSE (as they first reminded) or Gentoo or Amazon (as they're tasked with this) could and should have brought this to oss-security shortly after Lin didn't reply to the September 17 reminder. To send a reminder and forget for another month isn't a reliable approach. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.