oss-sec mailing list archives
Linux kernel CVEs not mentioned on oss-security
From: "Priedhorsky, Reid" <reidpr () lanl gov>
Date: Mon, 25 Sep 2017 21:50:59 +0000
Hello all, Debian recently issued DSA-3981-1, which announced fixes for quite a few CVEs affecting the Linux kernel. For five of these, I could find no evidence of any mention on oss-security: CVE-2017-10661 CVE-2017-11600 CVE-2017-12146 CVE-2017-12154 CVE-2017-14156 Another CVE not in Debian’s announcement also seems not to have been mentioned here: CVE-2016-10200 Of these six, three are possible privilege escalations (CVE-2016-10200, CVE-2017-10661, CVE-2017-12146). One was reported on oss-security, but not by CVE (CVE-2017-14156); the subject was “Linux kernel: driver/video/fbdev/aty/atyfb_base.c: atyfb_ioctl() stack infoleak”. I looked for mentions with the Google query ‘"CVE-xxxx-yyyyy" oss-security’ as well as in my own database that I maintain directly from list postings. For CVEs that do appear here on the list, the posting is usually the first Google hit. I don’t believe any of the above are recent enough not to have been announced. This is related to previous discussions here about CVE requests moving from this list to a web form. IIRC, a key hypothesis was that CVE requestors would forward notices to oss-security. Above, I provide evidence that this is not happening consistently for Linux kernel vulnerabilities. My questions: 1. Is oss-security’s coverage of security issues in open-source software intended to be comprehensive? If so, this appears not to be true for the Linux kernel. 2. Is there another source of comprehensive coverage of vulnerabilities in the Linux kernel, including but not necessarily limited to all CVEs issued for it? I appreciate everyone’s time and effort on all this stuff. This post should not be interpreted as singling out Debian for criticism. Thanks, Reid
Current thread:
- Linux kernel CVEs not mentioned on oss-security Priedhorsky, Reid (Sep 25)
- Re: Linux kernel CVEs not mentioned on oss-security Kurt Seifried (Sep 25)
- Re: Linux kernel CVEs not mentioned on oss-security Priedhorsky, Reid (Sep 26)
- Re: Linux kernel CVEs not mentioned on oss-security Simon McVittie (Sep 25)
- Re: Linux kernel CVEs not mentioned on oss-security Moritz Muehlenhoff (Sep 26)
- Re: Linux kernel CVEs not mentioned on oss-security Agostino Sarubbo (Sep 26)
- Re: Linux kernel CVEs not mentioned on oss-security Greg KH (Sep 26)
- Re: Linux kernel CVEs not mentioned on oss-security Nicholas Luedtke (Sep 26)
- Re: Linux kernel CVEs not mentioned on oss-security Agostino Sarubbo (Sep 26)
- Re: Linux kernel CVEs not mentioned on oss-security Greg KH (Sep 26)
- Re: Linux kernel CVEs not mentioned on oss-security Muhammed Mustapha Abiola (Sep 27)
- Re: Linux kernel CVEs not mentioned on oss-security Greg KH (Sep 26)
- Re: Linux kernel CVEs not mentioned on oss-security Kurt Seifried (Sep 25)