oss-sec mailing list archives
Re: CVEs issued by the Linux kernel CNA
From: Vegard Nossum <vegard.nossum () oracle com>
Date: Wed, 13 Mar 2024 14:41:27 +0100
On 21/02/2024 00:30, Alan Coopersmith wrote:
As recently announced [1], kernel.org is now a CNA for the Linux kernel, and today issued its first 8 CVEs, as seen in the archives of their mailing listat https://lore.kernel.org/linux-cve-announce/ .Their documentation [2] warns that we should expect a "seemingly large numberof CVEs that are issued by the Linux kernel team".Since there's already an archived mailing list covering the CVE assignments, I don't think it makes sense to mirror that large amount of traffic here, but to only bring to oss-security those that are especially interesting or usefulto discuss further. What do others think? [1] http://www.kroah.com/log/blog/2024/02/13/linux-is-a-cna/ [2] https://docs.kernel.org/process/cve.html
Related to this, I've submitted an RFC patch for a document (aimed at distributions) describing how to assess kernel patches for security impact and indirectly proposing a way to reduce the workload: https://lore.kernel.org/all/20240311150054.2945210-2-vegard.nossum () oracle com/ I wanted to share the link here as 1) some distributions may not have seen the original posting, and 2) it may be of some general interest to others on here. If you have feedback, please reply to the linked thread. Thanks, Vegard
Current thread:
- CVEs issued by the Linux kernel CNA Alan Coopersmith (Feb 20)
- Re: CVEs issued by the Linux kernel CNA Marcus Meissner (Feb 21)
- Re: CVEs issued by the Linux kernel CNA Solar Designer (Feb 22)
- Re: CVEs issued by the Linux kernel CNA Greg KH (Feb 22)
- Re: CVEs issued by the Linux kernel CNA eduardo vela (Feb 24)
- Re: CVEs issued by the Linux kernel CNA Greg KH (Feb 22)
- Re: CVEs issued by the Linux kernel CNA Vegard Nossum (Mar 13)