Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <2025100533-foam-capsize-cb0b@gregkh>
Date: Sun, 5 Oct 2025 08:23:21 +0200
From: Greg KH <greg@...ah.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: Linux kernel: HFS+ filesystem implementation,
 issues, exposure in distros

On Sat, Oct 04, 2025 at 09:23:57PM -0700, nightmare.yeah27@...ecat.org wrote:
> On Sat, Oct 04, 2025 at 07:45:08AM +0200, Greg KH wrote:
> 
> > > The idea is that if triaging 13 bugs a day is unsustainable,
> 
> > What do you mean by this?  I never stated it was unsustainable, in
> > fact it's just fine from our side.  What is the problem you are
> > wanting others to help in solving with here exactly?
> 
> I can guess Attila's meaning as an outsider. It seems strange to me
> that as one so deeply engaged in these issues you (Greg) cannot do
> that.
> 
> The meaning is: it *would* be unsustainable *if* you actually started
> triaging.  You don't triage now, because "a bug is a bug".

I don't understand this, sorry.  Right now, we _do_ triage all bugfixes
that are added to the Linux kernel and classify them if they meet the
requirement of a "vulnerability" as required by cve.org or not.  Any
that do, we assign a CVE to.  Any that do not, we do not.  There are 3
of us doing this work, in our public git repo, plus we have 2 "guest"
reviewers also helping out at times, so everyone can see what is
happening before we assign CVEs.  We don't always agree on things, but
that's why there are 3 of us doing the work so we can vote, and of
course, _anyone_ else can always ask for other CVEs to be assigned, or
ask that existing ones be rejected based on their reviews.

That is the work we do to "triage" on a weekly basis.

Again, not all bugfixes that go into the Linux kernel meet the cve.org
definition of "vulnerability", and so, we do not mark all Linux bugfixes
with a CVE.  If we were to do that, the rate of CVEs would be much
higher than the current average of 13 per day (which if you look at
applicability of those CVEs to your system, is on average, or a bit
below, the other two major operating systems out there, so Linux is not
an outlier at all.)

Hope this helps explain things a bit better.  I think this means I need
to write up even more documentation as to exactly how we do all of this
work as this information isn't more widely known.

thanks,

greg k-h

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.