On 07-09-17 14:34, Kalle Valo wrote:
Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx> writes:
Due to recent events we were asked about some vulnerability fixes for
brcmfmac. We already fixed a couple of things without referring to a
so-called CVE-ID, which is what people are asking for. Do we have a
upstream policy on that? I could not really find anything in the
Documentation folder (but I may have overlooked it). Might be worth
mentioning in the commit message like with the coverity ids.
Johannes already answered, but I'll just add that this is all I know
about security patches:
If you have a patch that fixes an exploitable security bug, send that
patch to security@xxxxxxxxxx. For severe bugs, a short embargo may be
considered to allow distributors to get the patch out to users; in
such cases, obviously, the patch should not be sent to any public
lists.
https://www.kernel.org/doc/html/latest/process/submitting-patches.html
I don't know if you should follow that in this case or not, just wanted
to point out this.
I see. I thought security@xxxxxxxxxx was just to report exploitable
security bugs. Thanks for the pointer.
Regards,
Arend
