|
Message-ID: <20130905082349.GA5658@mwanda> Date: Thu, 5 Sep 2013 11:23:49 +0300 From: Dan Carpenter <dan.carpenter@...cle.com> To: oss-security@...ts.openwall.com, kseifried@...hat.com Cc: Agostino Sarubbo <ago@...too.org>, Kees Cook <keescook@...omium.org> Subject: Re: CVE request: Kernel PID Spoofing Privilege Escalation Vulnerability On Wed, Sep 04, 2013 at 08:30:05PM -0600, Kurt Seifried wrote: > Please use CVE-2013-4300 for this issue. > > Stupid Q, any reason why this couldn't be sent to > http://oss-security.openwall.org/wiki/mailing-lists/distros to give > vendors a heads up (also we can get it a CVE prior to public release > then)? > The original patch was sent to netdev and lkml publicly from the start. https://lkml.org/lkml/2013/8/22/462 We do have someone who is supposed to forwarding security bugs from security@...nel.org to distros. I'm not on distros but apparently this wasn't happening properly so we've recently assigned another person to help with this. We're reviewing our security policies for the during the kernel summit, in October btw. So far the main points are that people want less secrecy and more public reviews and better testing. Kees wants to keep a record of CVEs in the kernel. https://lists.linuxfoundation.org/pipermail/ksummit-2013-discuss/2013-August/001050.html It's not clear if anything will actually change though. regards, dan carpenter
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.