Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Apr 2009 19:12:39 -0600
From: dann frazier <>
Subject: Re: CVE request? buffer overflow in CIFS in 2.6.*

On Sat, Apr 25, 2009 at 05:40:20PM +0800, Eugene Teo wrote:
> Hi Steve,
> > One approach might be to "pre-tag" this whole set of changes with a single
> > CVE, then when they ultimately get merged into a single kernel version or
> > some other concrete milestone, the "scope" of that CVE ends.
> I'm fine with this approach. It can actually help to make it easier to
> manage this set of changes.

To summarize (and make sure I understand), the plan is to create a
single CVE for a collection of CIFS fixes. So far, this series includes
the following changesets, but others may be added as well:;a=commitdiff;h=15bd8021d870d2c4fbf8c16578d72d03cfddd3a7;a=commitdiff;h=f083def68f84b04fe3f97312498911afce79609e;a=commit;h=7b0c8fcff47a885743125dd843db64af41af5a61;a=commit;h=968460ebd8006d55661dec0fb86712b40d71c413

Is that correct? If so, is there an estimate for when this set will be
deemed complete and a CVE assigned?

I think that if we wait too long to close this, we'll end up with
distributions releasing updates with only a subset of these
fixes, which would make this "collection" somewhat difficult to track
by CVE ID handle. I'm otherwise quite happy with this plan, fwiw.

dann frazier

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.