oss-sec mailing list archives
Re: Netlink XFRM socket subsystem NULL pointer dereference
From: Solar Designer <solar () openwall com>
Date: Sun, 22 Oct 2017 13:36:30 +0200
On Sun, Oct 22, 2017 at 01:21:19PM +0200, Marius Bakke wrote:
Noam Rathaus <noamr () beyondsecurity com> writes:I was forwarded by: Dan Carpenter <dan.carpenter () oracle com> To you regarding obtaining a CVE for the mentioned (in the title) vulnerability I know a patch is being created and placed into mainstream code of the Kernel I would like also to get a CVE for it, so that we can put that in the advisory we will releaseUnfortunately CVE IDs are not assigned through this list anymore. Please use <https://cveform.mitre.org/> to request a CVE.
Marius is right. More detail on how we'd like this used as it relates to also posting to oss-security: http://oss-security.openwall.org/wiki/mailing-lists/oss-security#cve-requests "Previously, one could request CVE IDs for issues in Open Source software from oss-security. This is no longer the case. Instead, please start by posting about the (to be made) public issue to oss-security (without a CVE ID), request a CVE ID from MITRE directly, and finally "reply" to your own posting when you also have the CVE ID to add. With the described approach you would only approach MITRE after the issue is already public, but if you choose to do things differently and contact MITRE about an issue that is not yet public, then please do not disclose to them more than the absolute minimum needed for them to assign a CVE ID."
Do we need to give you the full technical writeup of the vulnerability?It's by no means required,
Actually, this is in fact required: http://oss-security.openwall.org/wiki/mailing-lists/oss-security#list-content-guidelines "At least the most essential part of your message (e.g., vulnerability detail and/or exploit) should be directly included in the message itself (and in plain text), rather than only included by reference to an external resource. Posting links to relevant external resources as well is acceptable, but posting only links is not. Your message should remain valuable even with all of the external resources gone." Of course, only post the full detail once it's meant to be made public. Noam's message so far is not sufficiently detailed for oss-security, for when the issue is public (I get the feeling it might not be yet).
but it would be appreciated if you could get back to this list with the advisory and CVE identifier when ready.
Right. Finally, let's not assume that "kernel" implies "Linux", even though it's usually the case in postings in here. Going forward, let's explicitly say "Linux kernel" where appropriate (especially at the start of message Subjects), so that we don't discourage reporting and discussion of issues in other Open Source kernels in here. (This thread's Subject should stay as it is not to add confusion, though.) Alexander
Current thread:
- Netlink XFRM socket subsystem NULL pointer dereference Noam Rathaus (Oct 22)
- Re: Netlink XFRM socket subsystem NULL pointer dereference Marius Bakke (Oct 22)
- Re: Netlink XFRM socket subsystem NULL pointer dereference Solar Designer (Oct 22)
- Re: Netlink XFRM socket subsystem NULL pointer dereference Marius Bakke (Oct 22)