oss-sec mailing list archives
Re: linux-distros list policy and Linux kernel
From: eduardo vela <evn () googlers com>
Date: Mon, 23 May 2022 08:48:27 +0200
On Mon, 23 May 2022, 08:35 Greg KH, <greg () kroah com> wrote:
On Sun, May 22, 2022 at 08:55:50PM +0100, Sam James wrote:I'd also like to ask that the final commit messages please reference any relevant CVEs or at least the security impact. There've been a fairnumberof incidents where such information is stripped and it makes tracking issues *really* hard.That is pretty much impossible and goes against the whole goal of "get this fixed and in a public tree and only tell the world that it was an issue after-the-fact" way that the kernel team works. If we put all of that in the commit to start with, the whole world knows this info. We can't go back in time and change git commits for obvious reasons.
Hi all Regarding keeping the security relevance of the patch secret. Something we are working on now (as the Google CNA) is to automatically generate CVEs for Syzkaller findings that meet some criteria (unique, with reproducer, and with some heuristics to determine the type of crash, eg KASAN+uaf). We would also monitor advisories from distros to catch duplicate CVEs and not issue them in those cases. The reason I mention it in this list is because a CVE would be issued (and maybe communicated to oss-security@ to avoid duplicate CVEs), which might also automatically break embargos. That said, I hope that's OK, as Syzkaller is just a subset of security vulnerabilities being disclosed on the Kernel. If you have feedback about the overall concept, please send it off-list (or start a new thread) as to avoid derailing the topic, but I wanted to bring it up because it might appear as willing violations of Embargo on the new linux-distros@ process being proposed. Regards thanks,
gre gk-h
Current thread:
- Re: linux-distros list policy and Linux kernel, (continued)
- Re: linux-distros list policy and Linux kernel Greg KH (May 16)
- Re: linux-distros list policy and Linux kernel Jason A. Donenfeld (May 17)
- Re: linux-distros list policy and Linux kernel Greg KH (May 17)
- Re: linux-distros list policy and Linux kernel Jeremy Stanley (May 17)
- Re: linux-distros list policy and Linux kernel Thadeu Lima de Souza Cascardo (May 17)
- Re: linux-distros list policy and Linux kernel Vegard Nossum (May 20)
- Re: linux-distros list policy and Linux kernel Solar Designer (May 22)
- Re: linux-distros list policy and Linux kernel Sam James (May 22)
- Re: linux-distros list policy and Linux kernel Greg KH (May 22)
- Re: linux-distros list policy and Linux kernel eduardo vela (May 23)
- Re: linux-distros list policy and Linux kernel Mickaël Salaün (May 24)
- Re: linux-distros list policy and Linux kernel Greg KH (May 24)
- Re: linux-distros list policy and Linux kernel Sam James (May 22)
- Re: linux-distros list policy and Linux kernel Alan Coopersmith (May 19)