Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20090429011239.GF6418@lackof.org>
Date: Tue, 28 Apr 2009 19:12:39 -0600
From: dann frazier <dannf@...ian.org>
To: oss-security@...ts.openwall.com
Cc: security@...nel.org, sfrench@...ibm.com
Subject: Re: CVE request? buffer overflow in CIFS in 2.6.*

On Sat, Apr 25, 2009 at 05:40:20PM +0800, Eugene Teo wrote:
> Hi Steve,
> 
> > One approach might be to "pre-tag" this whole set of changes with a single
> > CVE, then when they ultimately get merged into a single kernel version or
> > some other concrete milestone, the "scope" of that CVE ends.
> 
> I'm fine with this approach. It can actually help to make it easier to
> manage this set of changes.

To summarize (and make sure I understand), the plan is to create a
single CVE for a collection of CIFS fixes. So far, this series includes
the following changesets, but others may be added as well:

http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.29.y.git;a=commitdiff;h=15bd8021d870d2c4fbf8c16578d72d03cfddd3a7
http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commitdiff;h=f083def68f84b04fe3f97312498911afce79609e
http://git.kernel.org/linus/27b87fe52baba0a55e9723030e76fce94fabcea4
http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=7b0c8fcff47a885743125dd843db64af41af5a61
http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=968460ebd8006d55661dec0fb86712b40d71c413

Is that correct? If so, is there an estimate for when this set will be
deemed complete and a CVE assigned?

I think that if we wait too long to close this, we'll end up with
distributions releasing updates with only a subset of these
fixes, which would make this "collection" somewhat difficult to track
by CVE ID handle. I'm otherwise quite happy with this plan, fwiw.

-- 
dann frazier

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.