Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousbtower] driver

[Greg KH <greg () kroah com>]

On Tue, Nov 07, 2017 at 08:30:05PM +0000, Maier, Kurt H wrote:
> On Tue, 2017-11-07 at 21:22 +0100, Greg KH wrote:
> > I hate to ask, but why are you getting CVEs for bugs fixed over a
> > year
> > ago, and are already in all stable kernel releases a year ago?  Why
> > does
> > it matter?
> >
> > Unless you happen to have a product that doesn't ever do kernel
> > updates
> > from the stable trees, and well, then you know what you are doing and
> > don't need CVEs assigned either, right?  :)
>
> Kernel maintainers' policy is clear, and nobody is asking for that to
> change, but please don't sandbag the process of keeping track of
> vulnerabilities.  The fraction of "products" (regardless of vendor)
> that run linux and never get updates approaches unity.  Being able to
> precisely catalog which linux releases suffer from which
> vulnerabilities is useful to many.

Well, I'm working on fixing the "devices do not get updates" issue
through other means, so don't just give up on that one just yet :)

As for the "keep track of vulnerabilities", is that what is really
happening here?  Why pick a random bug fix from over a year ago for a
CVE vs. the 100 other bugfixes in the past few weeks/months?

I'm really curious as to what triggered this specific CVE request that
somehow misses the hundreds/thousands of other fixes that land in newer
kernel releases?

thanks,

greg k-h