Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130905083052.GV26936@dhcp-25-225.brq.redhat.com>
Date: Thu, 5 Sep 2013 10:30:52 +0200
From: Petr Matousek <pmatouse@...hat.com>
To: oss-security@...ts.openwall.com
Cc: kseifried@...hat.com, Agostino Sarubbo <ago@...too.org>,
        Kees Cook <keescook@...omium.org>
Subject: Re: CVE request: Kernel PID Spoofing Privilege
 Escalation Vulnerability

On Thu, Sep 05, 2013 at 11:23:49AM +0300, Dan Carpenter wrote:
> On Wed, Sep 04, 2013 at 08:30:05PM -0600, Kurt Seifried wrote:
> > Please use CVE-2013-4300 for this issue.
> > 
> > Stupid Q, any reason why this couldn't be sent to
> > http://oss-security.openwall.org/wiki/mailing-lists/distros to give
> > vendors a heads up (also we can get it a CVE prior to public release
> > then)?
> > 
> 
> The original patch was sent to netdev and lkml publicly from the start.
> 
> https://lkml.org/lkml/2013/8/22/462
> 
> We do have someone who is supposed to forwarding security bugs from
> security@...nel.org to distros.  I'm not on distros but apparently this
> wasn't happening properly so we've recently assigned another person to
> help with this.

As you said, the patch was sent to public mailing lists clearly saying
"This is a security bug.". If anything, this should have been forwarded
to oss-security, there's no point to forward to distros when the issue
is a) public and b) clearly marked as security fix.

-- 
Petr Matousek / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.