Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <1510683715.18312.1.camel@pnnl.gov>
Date: Tue, 14 Nov 2017 18:21:56 +0000
From: "Maier, Kurt H" <kurt.maier@...l.gov>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: CVE-2017-15102: Linux kernel: usb: NULL-deref
 due to a race condition in [legousbtower] driver

On Tue, 2017-11-14 at 08:37 +0100, Greg KH wrote:
> 
> But really, this isn't even a "good start", it's identifying a bug
> fixed over a year ago for a kernel that only one company seems to
> care about because they are _not_ following the recommended upstream
> stable kernel patches because they "know better" :)

First you objected to a specific bug, then it turned into "do
everything or give up," now we're back to a specific bug, and each
iteration is more unrealistic "just run whatever we release immediately
across all devices" advice.

Please, this is not productive.

And without rancor, jibes like the "know better" line are basically
just trash-talking people who actually run systems for a living and the
organizations that provide support and development for those systems. 
You're welcome to hold them in contempt but your weird persistence in
ensuring that contempt is explicitly expressed in every message you
post to the list is distracting at best, obnoxious as a baseline, and
toxic as a rule.  Consider taking it for granted that you're possessed
of wisdom unattained by the masses; we've all received this message by
now.

> That's my objection here.

Your objections are not accompanied by any advice that can be followed
by the vast majority of people responsible for linux systems.  The rest
of us are just trying to do our jobs, and the CVE process is an
important tool.  Please stop trying to make the kernel immune to CVE
reporting without any actual path forward for those of us who need this
tool. 

I want to stress that I don't see a need for kernel maintainers to
change their approach in this regard and I have no problem with the
policies as they stand.  But I am profoundly confused as to why you
feel the need to post to oss-sec essentially telling people to pack it
in and go home.  It's not going to happen unless and until we have an
even more reliable and comprehensive method of tracking vulnerabilities
in packaged kernels, regardless of the blessed nature of the
immacualate LTS.

Thanks for your time,
khm

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.