Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20171114073720.GA27647@kroah.com>
Date: Tue, 14 Nov 2017 08:37:20 +0100
From: Greg KH <greg@...ah.com>
To: oss-security@...ts.openwall.com
Cc: Vladis Dronov <vdronov@...hat.com>
Subject: Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due
 to a race condition in [legousbtower] driver

On Mon, Nov 13, 2017 at 07:42:27PM -0500, David A. Wheeler wrote:
> On Mon, 13 Nov 2017 16:15:24 +0100, Greg KH <greg@...ah.com> wrote:
> > It's the arbitrarily nature here that I am curious about, it feels like
> > it should be "all or nothing", for CVEs to mean much here.  Right now it
> > seems like it is just, "all that we care to track"?  :)
> 
> "All" would be awesome, though unlikely.  But even if that's the eventual goal,
> "good starts" are still good starts.

But really, this isn't even a "good start", it's identifying a bug fixed
over a year ago for a kernel that only one company seems to care about
because they are _not_ following the recommended upstream stable kernel
patches because they "know better" :)

That's my objection here.

thanks,

greg k-h

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.