|
Message-ID: <OF729CA43D.0A5BA90F-ON872575A7.0007ED90-862575A7.00082929@us.ibm.com> Date: Tue, 28 Apr 2009 20:27:19 -0500 From: Steven French <sfrench@...ibm.com> To: dann frazier <dannf@...ian.org> Cc: oss-security@...ts.openwall.com, security@...nel.org, jlayton@...hat.com Subject: Re: CVE request? buffer overflow in CIFS in 2.6.* Jeff (Layton) was working an additional fix (updating a proposed fix from Suresh J.). We will review it together tomorrow. Steve French Senior Software Engineer Linux Technology Center - IBM Austin phone: 512-838-2294 email: sfrench at-sign us dot ibm dot com dann frazier <dannf@...ian.org> 04/28/2009 08:12 PM To oss-security@...ts.openwall.com cc security@...nel.org, Steven French/Austin/IBM@...US Subject Re: [oss-security] CVE request? buffer overflow in CIFS in 2.6.* On Sat, Apr 25, 2009 at 05:40:20PM +0800, Eugene Teo wrote: > Hi Steve, > > > One approach might be to "pre-tag" this whole set of changes with a single > > CVE, then when they ultimately get merged into a single kernel version or > > some other concrete milestone, the "scope" of that CVE ends. > > I'm fine with this approach. It can actually help to make it easier to > manage this set of changes. To summarize (and make sure I understand), the plan is to create a single CVE for a collection of CIFS fixes. So far, this series includes the following changesets, but others may be added as well: http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.29.y.git;a=commitdiff;h=15bd8021d870d2c4fbf8c16578d72d03cfddd3a7 http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commitdiff;h=f083def68f84b04fe3f97312498911afce79609e http://git.kernel.org/linus/27b87fe52baba0a55e9723030e76fce94fabcea4 http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=7b0c8fcff47a885743125dd843db64af41af5a61 http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=968460ebd8006d55661dec0fb86712b40d71c413 Is that correct? If so, is there an estimate for when this set will be deemed complete and a CVE assigned? I think that if we wait too long to close this, we'll end up with distributions releasing updates with only a subset of these fixes, which would make this "collection" somewhat difficult to track by CVE ID handle. I'm otherwise quite happy with this plan, fwiw. -- dann frazier
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.