Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2

[Greg KH <greg () kroah com>]

On Thu, Aug 22, 2019 at 05:16:03PM +0200, Andrey Konovalov wrote:
> On a side note, currently there's an issue with many Linux kernel bugs
> being fixed, but not backported to distro kernels. Those bugs might
> have security implications, but there's no way to know that, unless
> someone specifically spends time to assess them in that regard.
> Requesting CVEs for those bugs is a way to get the fixes into distro
> kernels (even though that doesn't always work promptly [1] :).
>
> [1] https://www.openwall.com/lists/oss-security/2018/10/30/2

Note, I am scraping the logs for anything that says it is fixed due do a
syzbot find or report and backporting them to the stable kernel
branches.  So those distros that do follow the LTS/stable kernel
releases do get these fixes.  Luckily most of the "sane" distros these
days do this.

Please don't abuse the CVE process just to try to get a fix backported
to a Linux kernel release.  There is at least one company today that
does this as it is a way to "route around" management, but really, that
shouldn't be needed, fix your management processes instead please :)

thanks,

greg k-h