|
Message-ID: <YoNGC3IYwXWE7CBX@kroah.com> Date: Tue, 17 May 2022 08:51:55 +0200 From: Greg KH <greg@...ah.com> To: oss-security@...ts.openwall.com Subject: Re: linux-distros list policy and Linux kernel On Tue, May 17, 2022 at 03:30:33AM +0000, Seth Arnold wrote: > Given how much effort it takes me to assign CVEs for kernel issues, I've > wondered before if we (me, us, the community as a whole, etc) ought to > have a very standard and lightweight way to publish kernel CVEs, something > that's not much more than the Fixes: lines already in the commits. Isn't this what the "GSD" process is supposed to accomplish: https://globalsecuritydatabase.org/ The stable kernel team (i.e. Sasha) asks for identifiers for kernel issues all the time from this group now that MITRE refuses to assign CVEs for kernel fixes made in stable kernel releases. If you look in their database at github, there are lots of kernel commits being tracked there, is that sufficient for your needs? > I know this discussion didn't start around assigning CVEs to kernel > issues, but if we're missing more than we're handling, perhaps it ought to > be part of the discussion. I think this an independent issue that doesn't have much to do with linux-distros other than currently linux-distros is one of the simplest ways that people can get CVEs for kernel issues at the moment. thanks, greg k-h
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.