|
Message-ID: <20090429052858.GD11901@lackof.org> Date: Tue, 28 Apr 2009 23:28:58 -0600 From: dann frazier <dannf@...ian.org> To: Steven French <sfrench@...ibm.com> Cc: oss-security@...ts.openwall.com, security@...nel.org, jlayton@...hat.com Subject: Re: CVE request? buffer overflow in CIFS in 2.6.* On Tue, Apr 28, 2009 at 08:27:19PM -0500, Steven French wrote: > Jeff (Layton) was working an additional fix (updating a proposed fix from > Suresh J.). We will review it together tomorrow. Cool, thanks Steve. Also, I now notice that CVE-2009-1439 was assigned for the nativeFileSystem fixes, so looks like the status is: CVE-2009-1439: http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.29.y.git;a=commitdiff;h=15bd8021d870d2c4fbf8c16578d72d03cfddd3a7 http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commitdiff;h=f083def68f84b04fe3f97312498911afce79609e CVE-2009-NOT-YET-ASSIGNED: http://git.kernel.org/linus/27b87fe52baba0a55e9723030e76fce94fabcea4 http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=7b0c8fcff47a885743125dd843db64af41af5a61 http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=968460ebd8006d55661dec0fb86712b40d71c413 + some others in progress Does that look accurate? > > > Steve French > Senior Software Engineer > Linux Technology Center - IBM Austin > phone: 512-838-2294 > email: sfrench at-sign us dot ibm dot com > > > > dann frazier <dannf@...ian.org> > 04/28/2009 08:12 PM > > To > oss-security@...ts.openwall.com > cc > security@...nel.org, Steven French/Austin/IBM@...US > Subject > Re: [oss-security] CVE request? buffer overflow in CIFS in 2.6.* > > > > > > > On Sat, Apr 25, 2009 at 05:40:20PM +0800, Eugene Teo wrote: > > Hi Steve, > > > > > One approach might be to "pre-tag" this whole set of changes with a > single > > > CVE, then when they ultimately get merged into a single kernel version > or > > > some other concrete milestone, the "scope" of that CVE ends. > > > > I'm fine with this approach. It can actually help to make it easier to > > manage this set of changes. > > To summarize (and make sure I understand), the plan is to create a > single CVE for a collection of CIFS fixes. So far, this series includes > the following changesets, but others may be added as well: > > http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.29.y.git;a=commitdiff;h=15bd8021d870d2c4fbf8c16578d72d03cfddd3a7 > > http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commitdiff;h=f083def68f84b04fe3f97312498911afce79609e > > http://git.kernel.org/linus/27b87fe52baba0a55e9723030e76fce94fabcea4 > http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=7b0c8fcff47a885743125dd843db64af41af5a61 > > http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=968460ebd8006d55661dec0fb86712b40d71c413 > > > Is that correct? If so, is there an estimate for when this set will be > deemed complete and a CVE assigned? > > I think that if we wait too long to close this, we'll end up with > distributions releasing updates with only a subset of these > fixes, which would make this "collection" somewhat difficult to track > by CVE ID handle. I'm otherwise quite happy with this plan, fwiw. > -- dann frazier
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.