Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130905082349.GA5658@mwanda>
Date: Thu, 5 Sep 2013 11:23:49 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: oss-security@...ts.openwall.com, kseifried@...hat.com
Cc: Agostino Sarubbo <ago@...too.org>, Kees Cook <keescook@...omium.org>
Subject: Re: CVE request: Kernel PID Spoofing Privilege
 Escalation Vulnerability

On Wed, Sep 04, 2013 at 08:30:05PM -0600, Kurt Seifried wrote:
> Please use CVE-2013-4300 for this issue.
> 
> Stupid Q, any reason why this couldn't be sent to
> http://oss-security.openwall.org/wiki/mailing-lists/distros to give
> vendors a heads up (also we can get it a CVE prior to public release
> then)?
> 

The original patch was sent to netdev and lkml publicly from the start.

https://lkml.org/lkml/2013/8/22/462

We do have someone who is supposed to forwarding security bugs from
security@...nel.org to distros.  I'm not on distros but apparently this
wasn't happening properly so we've recently assigned another person to
help with this.

We're reviewing our security policies for the during the kernel summit,
in October btw.  So far the main points are that people want less
secrecy and more public reviews and better testing.  Kees wants to keep
a record of CVEs in the kernel.

https://lists.linuxfoundation.org/pipermail/ksummit-2013-discuss/2013-August/001050.html

It's not clear if anything will actually change though.

regards,
dan carpenter

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.