Linux kernel CVEs not mentioned on oss-security

["Priedhorsky, Reid" <reidpr () lanl gov>]

Hello all,

Debian recently issued DSA-3981-1, which announced fixes for quite a few CVEs affecting the Linux kernel. For five of 
these, I could find no evidence of any mention on oss-security:

  CVE-2017-10661
  CVE-2017-11600
  CVE-2017-12146
  CVE-2017-12154
  CVE-2017-14156

Another CVE not in Debian’s announcement also seems not to have been mentioned here:

  CVE-2016-10200

Of these six, three are possible privilege escalations (CVE-2016-10200, CVE-2017-10661, CVE-2017-12146). One was 
reported on oss-security, but not by CVE (CVE-2017-14156); the subject was “Linux kernel: 
driver/video/fbdev/aty/atyfb_base.c: atyfb_ioctl() stack infoleak”.

I looked for mentions with the Google query ‘"CVE-xxxx-yyyyy" oss-security’ as well as in my own database that I 
maintain directly from list postings. For CVEs that do appear here on the list, the posting is usually the first Google 
hit. I don’t believe any of the above are recent enough not to have been announced.

This is related to previous discussions here about CVE requests moving from this list to a web form. IIRC, a key 
hypothesis was that CVE requestors would forward notices to oss-security. Above, I provide evidence that this is not 
happening consistently for Linux kernel vulnerabilities.

My questions:

1. Is oss-security’s coverage of security issues in open-source software intended to be comprehensive? If so, this 
appears not to be true for the Linux kernel.

2. Is there another source of comprehensive coverage of vulnerabilities in the Linux kernel, including but not 
necessarily limited to all CVEs issued for it?

I appreciate everyone’s time and effort on all this stuff. This post should not be interpreted as singling out Debian 
for criticism.

Thanks,
Reid