oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: linux-distros list policy and Linux kernel

From: Greg KH <greg () kroah com>
Date: Tue, 17 May 2022 08:51:55 +0200
On Tue, May 17, 2022 at 03:30:33AM +0000, Seth Arnold wrote:

Given how much effort it takes me to assign CVEs for kernel issues, I've
wondered before if we (me, us, the community as a whole, etc) ought to
have a very standard and lightweight way to publish kernel CVEs, something
that's not much more than the Fixes: lines already in the commits.


Isn't this what the "GSD" process is supposed to accomplish:
        https://globalsecuritydatabase.org/

The stable kernel team (i.e. Sasha) asks for identifiers for kernel
issues all the time from this group now that MITRE refuses to assign
CVEs for kernel fixes made in stable kernel releases.

If you look in their database at github, there are lots of kernel
commits being tracked there, is that sufficient for your needs?


I know this discussion didn't start around assigning CVEs to kernel
issues, but if we're missing more than we're handling, perhaps it ought to
be part of the discussion.


I think this an independent issue that doesn't have much to do with
linux-distros other than currently linux-distros is one of the simplest
ways that people can get CVEs for kernel issues at the moment.

thanks,

greg k-h
Previous By Date Next
Previous By Thread Next

Current thread: