From: Greg KH <gregkh@linuxfoundation.org>
To: Josh Boyer <jwboyer@fedoraproject.org>
Cc: Peter Hurley <peter@hurleysoftware.com>,
Dan Carpenter <dan.carpenter@oracle.com>,
"Linux-Kernel@Vger. Kernel. Org" <linux-kernel@vger.kernel.org>,
kernel-hardening@lists.openwall.com
Subject: Re: 2015 kernel CVEs
Date: Tue, 19 Jan 2016 09:51:54 -0800 [thread overview]
Message-ID: <20160119175154.GA7485@kroah.com> (raw)
In-Reply-To: <CA+5PVA7C=LDkVNR3v0qxKu8OasJ49fG51aRGwDwA2QOAFGNXhw@mail.gmail.com>
On Tue, Jan 19, 2016 at 12:00:57PM -0500, Josh Boyer wrote:
> On Tue, Jan 19, 2016 at 11:57 AM, Peter Hurley <peter@hurleysoftware.com> wrote:
> > On 01/19/2016 03:28 AM, Dan Carpenter wrote:
> >> I like to look back over old CVEs to see how we could do better. Here
> >> is the list from 2015. I got most of this information from the Ubuntu
> >> CVE tracker. Thanks Ubuntu!. If it doesn't have a hash that means it
> >> might not be fixed yet.
> >
> > [...]
> >
> >> CVE-2015-4170 cf872776fc84: tty: hang in tty
> >
> > Makes no sense that this was assigned a CVE.
> > I fixed this _2 yrs before_ it was reported and the patch was CC'd stable.
>
> I'm guessing the CVE was assigned because there are distributions that
> ship based on kernels earlier than 3.13. Those distributors need to
> verify if they have the fix, etc.
Yes, that's what happened here, Red Hat asked for it from what I
remember. I complained loudly on the oss-security list about it, but oh
well...
greg k-h
WARNING: multiple messages have this Message-ID (diff)
From: Greg KH <gregkh@linuxfoundation.org>
To: Josh Boyer <jwboyer@fedoraproject.org>
Cc: Peter Hurley <peter@hurleysoftware.com>,
Dan Carpenter <dan.carpenter@oracle.com>,
"Linux-Kernel@Vger. Kernel. Org" <linux-kernel@vger.kernel.org>,
kernel-hardening@lists.openwall.com
Subject: [kernel-hardening] Re: 2015 kernel CVEs
Date: Tue, 19 Jan 2016 09:51:54 -0800 [thread overview]
Message-ID: <20160119175154.GA7485@kroah.com> (raw)
In-Reply-To: <CA+5PVA7C=LDkVNR3v0qxKu8OasJ49fG51aRGwDwA2QOAFGNXhw@mail.gmail.com>
On Tue, Jan 19, 2016 at 12:00:57PM -0500, Josh Boyer wrote:
> On Tue, Jan 19, 2016 at 11:57 AM, Peter Hurley <peter@hurleysoftware.com> wrote:
> > On 01/19/2016 03:28 AM, Dan Carpenter wrote:
> >> I like to look back over old CVEs to see how we could do better. Here
> >> is the list from 2015. I got most of this information from the Ubuntu
> >> CVE tracker. Thanks Ubuntu!. If it doesn't have a hash that means it
> >> might not be fixed yet.
> >
> > [...]
> >
> >> CVE-2015-4170 cf872776fc84: tty: hang in tty
> >
> > Makes no sense that this was assigned a CVE.
> > I fixed this _2 yrs before_ it was reported and the patch was CC'd stable.
>
> I'm guessing the CVE was assigned because there are distributions that
> ship based on kernels earlier than 3.13. Those distributors need to
> verify if they have the fix, etc.
Yes, that's what happened here, Red Hat asked for it from what I
remember. I complained loudly on the oss-security list about it, but oh
well...
greg k-h
next prev parent reply other threads:[~2016-01-19 17:52 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-19 11:28 2015 kernel CVEs Dan Carpenter
2016-01-19 11:28 ` [kernel-hardening] " Dan Carpenter
2016-01-19 11:49 ` Hanno Böck
2016-01-19 15:49 ` Quentin Casasnovas
2016-01-20 11:19 ` Hanno Böck
2016-01-20 14:15 ` Wade Mealing
2016-01-20 17:48 ` Hanno Böck
2016-01-19 13:13 ` Wade Mealing
2016-01-19 14:56 ` One Thousand Gnomes
2016-01-19 14:56 ` [kernel-hardening] " One Thousand Gnomes
2016-01-19 16:32 ` [kernel-hardening] " Ben Hutchings
2016-01-19 17:54 ` Greg KH
2016-01-20 17:05 ` Ben Hutchings
2016-01-20 18:04 ` Greg KH
2016-01-21 15:18 ` Jiri Kosina
2016-01-21 18:46 ` Ben Hutchings
2016-01-19 16:57 ` Peter Hurley
2016-01-19 16:57 ` [kernel-hardening] " Peter Hurley
2016-01-19 17:00 ` Josh Boyer
2016-01-19 17:00 ` [kernel-hardening] " Josh Boyer
2016-01-19 17:51 ` Greg KH [this message]
2016-01-19 17:51 ` Greg KH
2016-01-20 7:12 ` Marcus Meissner
2016-01-19 17:57 ` [kernel-hardening] " Theodore Ts'o
2016-01-19 18:00 ` Al Viro
2016-01-19 18:00 ` [kernel-hardening] " Al Viro
2016-01-19 22:41 ` Eric W. Biederman
2016-01-19 22:47 ` [kernel-hardening] " Eric W. Biederman
2016-01-20 20:11 ` Jann Horn
2016-01-20 21:26 ` One Thousand Gnomes
2016-01-19 23:35 ` Kees Cook
2016-01-19 23:35 ` Kees Cook
2016-01-20 9:57 ` Miroslav Benes
2016-01-20 9:57 ` [kernel-hardening] " Miroslav Benes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160119175154.GA7485@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@oracle.com \
--cc=jwboyer@fedoraproject.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=peter@hurleysoftware.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.