oss-sec mailing list archives
Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver
From: Greg KH <greg () kroah com>
Date: Mon, 13 Nov 2017 16:15:24 +0100
On Mon, Nov 13, 2017 at 10:07:00AM -0500, Vladis Dronov wrote:
Hello, Greg, all, My fault here was indeed not stating that a Red Hat's product is vulnerable (thus, a CVE was assigned), but stating that only Linux kernel is vulnerable (while indeed it was fixed a long ago). Please, accept my apologies.
Ok, not a problem, thanks for the apology.
I hate to ask, but why are you getting CVEs for bugs fixed over a year ago, and are already in all stable kernel releases a year ago? Why does it matter?I'm afraid, you won't like the answer, but in a short word, the Red Hat is a CNA (CVE Numbering Authority) for Red Hat's products and the Linux kernel and we've decided to assign this CVE.
So the answer is just "we've decided to", right? If so, that's fine, you are allowed to do so being a CNA, but what is keeping you from doing the same for the thousands of other bugs that have been fixed since this one that is in a specific Red Hat product? It's the arbitrarily nature here that I am curious about, it feels like it should be "all or nothing", for CVEs to mean much here. Right now it seems like it is just, "all that we care to track"? :) thanks, greg k-h
Current thread:
- CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Vladis Dronov (Nov 07)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Greg KH (Nov 07)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Maier, Kurt H (Nov 07)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Greg KH (Nov 08)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver David A. Wheeler (Nov 09)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Stiepan (Nov 10)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Amos Jeffries (Nov 11)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Stuart Gathman (Nov 11)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Maier, Kurt H (Nov 07)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Greg KH (Nov 07)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Vladis Dronov (Nov 13)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Greg KH (Nov 13)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver David A. Wheeler (Nov 13)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Greg KH (Nov 13)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Brad Spengler (Nov 14)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Eddie Chapman (Nov 14)
- Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver Maier, Kurt H (Nov 14)