Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 17 May 2022 08:51:55 +0200
From: Greg KH <greg@...ah.com>
To: oss-security@...ts.openwall.com
Subject: Re: linux-distros list policy and Linux kernel

On Tue, May 17, 2022 at 03:30:33AM +0000, Seth Arnold wrote:
> Given how much effort it takes me to assign CVEs for kernel issues, I've
> wondered before if we (me, us, the community as a whole, etc) ought to
> have a very standard and lightweight way to publish kernel CVEs, something
> that's not much more than the Fixes: lines already in the commits.

Isn't this what the "GSD" process is supposed to accomplish:
	https://globalsecuritydatabase.org/

The stable kernel team (i.e. Sasha) asks for identifiers for kernel
issues all the time from this group now that MITRE refuses to assign
CVEs for kernel fixes made in stable kernel releases.

If you look in their database at github, there are lots of kernel
commits being tracked there, is that sufficient for your needs?

> I know this discussion didn't start around assigning CVEs to kernel
> issues, but if we're missing more than we're handling, perhaps it ought to
> be part of the discussion.

I think this an independent issue that doesn't have much to do with
linux-distros other than currently linux-distros is one of the simplest
ways that people can get CVEs for kernel issues at the moment.

thanks,

greg k-h

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.