oss-sec mailing list archives
Re: Linux kernel CVEs not mentioned on oss-security
From: Bob Friesenhahn <bfriesen () simple dallas tx us>
Date: Tue, 26 Sep 2017 12:31:38 -0500 (CDT)
On Tue, 26 Sep 2017, Agostino Sarubbo wrote:
This certainly does not answer to the original question, but upstream should consider to do something like ffmpeg does here: https://www.ffmpeg.org/security.html I guess this would be benefit for all.
It is incredibly difficult for most non-commercial upstreams to do this since they have limited manpower, they are not informed of all the applicable CVEs, and the CVE information received is essentially hearsay, received from unknown/unverifiable sources. I am thinking that it is best for most non-commercial upstreams to not mention CVEs at all.
If someone (e.g. with identity 'bugmeister () abcd cn') informs me (an upsteam maintainer) that some particular bug has been assigned a particular CVE then how can I know that to be a fact?
Bob -- Bob Friesenhahn bfriesen () simple dallas tx us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Current thread:
- Re: Linux kernel CVEs not mentioned on oss-security, (continued)
- Re: Linux kernel CVEs not mentioned on oss-security Agostino Sarubbo (Sep 26)
- Re: Linux kernel CVEs not mentioned on oss-security Greg KH (Sep 26)
- Re: Linux kernel CVEs not mentioned on oss-security Muhammed Mustapha Abiola (Sep 27)
- Re: Linux kernel CVEs not mentioned on oss-security Solar Designer (Sep 27)
- Re: Linux kernel CVEs not mentioned on oss-security Greg KH (Sep 27)
- Re: Linux kernel CVEs not mentioned on oss-security Solar Designer (Sep 27)
- Re: Linux kernel CVEs not mentioned on oss-security Greg KH (Sep 28)
- Re: Linux kernel CVEs not mentioned on oss-security Salvatore Bonaccorso (Sep 28)
- Re: Linux kernel CVEs not mentioned on oss-security Greg KH (Sep 28)
- Re: Linux kernel CVEs not mentioned on oss-security Brad Spengler (Sep 28)
- Re: Linux kernel CVEs not mentioned on oss-security Kurt Seifried (Sep 26)
- Re: Linux kernel CVEs not mentioned on oss-security Agostino Sarubbo (Sep 26)
- Re: Linux kernel CVEs not mentioned on oss-security Kurt Seifried (Sep 26)
- Re: Linux kernel CVEs not mentioned on oss-security Marcus Meissner (Sep 27)