Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <EB502BBD-AA97-4FC5-A0E7-D148B0E33FF7@lanl.gov>
Date: Mon, 25 Sep 2017 21:50:59 +0000
From: "Priedhorsky, Reid" <reidpr@...l.gov>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Linux kernel CVEs not mentioned on oss-security

Hello all,

Debian recently issued DSA-3981-1, which announced fixes for quite a few CVEs affecting the Linux kernel. For five of these, I could find no evidence of any mention on oss-security:

  CVE-2017-10661
  CVE-2017-11600
  CVE-2017-12146
  CVE-2017-12154
  CVE-2017-14156

Another CVE not in Debian’s announcement also seems not to have been mentioned here:

  CVE-2016-10200

Of these six, three are possible privilege escalations (CVE-2016-10200, CVE-2017-10661, CVE-2017-12146). One was reported on oss-security, but not by CVE (CVE-2017-14156); the subject was “Linux kernel: driver/video/fbdev/aty/atyfb_base.c: atyfb_ioctl() stack infoleak”.

I looked for mentions with the Google query ‘"CVE-xxxx-yyyyy" oss-security’ as well as in my own database that I maintain directly from list postings. For CVEs that do appear here on the list, the posting is usually the first Google hit. I don’t believe any of the above are recent enough not to have been announced.

This is related to previous discussions here about CVE requests moving from this list to a web form. IIRC, a key hypothesis was that CVE requestors would forward notices to oss-security. Above, I provide evidence that this is not happening consistently for Linux kernel vulnerabilities.

My questions:

1. Is oss-security’s coverage of security issues in open-source software intended to be comprehensive? If so, this appears not to be true for the Linux kernel.

2. Is there another source of comprehensive coverage of vulnerabilities in the Linux kernel, including but not necessarily limited to all CVEs issued for it?

I appreciate everyone’s time and effort on all this stuff. This post should not be interpreted as singling out Debian for criticism.

Thanks,
Reid

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.