This is a note to let you know that I've just added the patch titled
Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group
to the 5.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
documentation-security-bugs.rst-update-preferences-when-dealing-with-the-linux-distros-group.patch
and it can be found in the queue-5.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 4fee0915e649bd0cea56dece6d96f8f4643df33c Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 30 Jun 2023 09:14:20 +0200
Subject: Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group
From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
commit 4fee0915e649bd0cea56dece6d96f8f4643df33c upstream.
Because the linux-distros group forces reporters to release information
about reported bugs, and they impose arbitrary deadlines in having those
bugs fixed despite not actually being kernel developers, the kernel
security team recommends not interacting with them at all as this just
causes confusion and the early-release of reported security problems.
Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
Link: https://lore.kernel.org/r/2023063020-throat-pantyhose-f110@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
Documentation/admin-guide/security-bugs.rst | 24 +++++++++++-------------
1 file changed, 11 insertions(+), 13 deletions(-)
--- a/Documentation/admin-guide/security-bugs.rst
+++ b/Documentation/admin-guide/security-bugs.rst
@@ -63,20 +63,18 @@ information submitted to the security li
of the report are treated confidentially even after the embargo has been
lifted, in perpetuity.
-Coordination
-------------
+Coordination with other groups
+------------------------------
-Fixes for sensitive bugs, such as those that might lead to privilege
-escalations, may need to be coordinated with the private
-<linux-distros@xxxxxxxxxxxxxxx> mailing list so that distribution vendors
-are well prepared to issue a fixed kernel upon public disclosure of the
-upstream fix. Distros will need some time to test the proposed patch and
-will generally request at least a few days of embargo, and vendor update
-publication prefers to happen Tuesday through Thursday. When appropriate,
-the security team can assist with this coordination, or the reporter can
-include linux-distros from the start. In this case, remember to prefix
-the email Subject line with "[vs]" as described in the linux-distros wiki:
-<http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists>
+The kernel security team strongly recommends that reporters of potential
+security issues NEVER contact the "linux-distros" mailing list until
+AFTER discussing it with the kernel security team. Do not Cc: both
+lists at once. You may contact the linux-distros mailing list after a
+fix has been agreed on and you fully understand the requirements that
+doing so will impose on you and the kernel community.
+
+The different lists have different goals and the linux-distros rules do
+not contribute to actually fixing any potential security problems.
CVE assignment
--------------
Patches currently in stable-queue which might be from gregkh@xxxxxxxxxxxxxxxxxxx are
queue-5.10/revert-usb-gadget-tegra-xudc-fix-error-check-in-tegra_xudc_powerdomain_init.patch
queue-5.10/documentation-security-bugs.rst-clarify-cve-handling.patch
queue-5.10/hwmon-nct7802-fix-for-temp6-peci1-processed-even-if-peci1-disabled.patch
queue-5.10/usb-gadget-fix-the-memory-leak-in-raw_gadget-driver.patch
queue-5.10/documentation-security-bugs.rst-update-preferences-when-dealing-with-the-linux-distros-group.patch
queue-5.10/tpm_tis-explicitly-check-for-error-code.patch
queue-5.10/staging-ks7010-potential-buffer-overflow-in-ks_wlan_set_encode_ext.patch
queue-5.10/usb-serial-option-support-quectel-em060k_128.patch
queue-5.10/usb-ohci-at91-fix-the-unhandle-interrupt-when-resume.patch
queue-5.10/serial-8250_dw-preserve-original-value-of-dlf-register.patch
queue-5.10/revert-usb-dwc3-core-enable-autoretry-feature-in-the-controller.patch
queue-5.10/revert-usb-xhci-tegra-fix-error-check.patch
queue-5.10/usb-dwc3-don-t-reset-device-side-if-dwc3-was-configured-as-host-only.patch
queue-5.10/serial-sifive-fix-sifive_serial_console_setup-section.patch
queue-5.10/alsa-hda-realtek-support-asus-g713pv-laptop.patch
queue-5.10/can-gs_usb-gs_can_close-add-missing-set-of-can-state-to-can_state_stopped.patch
queue-5.10/alsa-hda-relatek-enable-mute-led-on-hp-250-g8.patch
queue-5.10/usb-quirks-add-quirk-for-focusrite-scarlett.patch
queue-5.10/file-always-lock-position-for-fmode_atomic_pos.patch
queue-5.10/usb-serial-simple-add-kaufmann-rks-can-vcp.patch
queue-5.10/tty-n_gsm-fix-uaf-in-gsm_cleanup_mux.patch
queue-5.10/usb-serial-option-add-quectel-ec200a-module-support.patch
queue-5.10/btrfs-check-for-commit-error-at-btrfs_attach_transaction_barrier.patch
queue-5.10/usb-serial-simple-sort-driver-entries.patch
queue-5.10/nfsd-remove-incorrect-check-in-nfsd4_validate_stateid.patch
queue-5.10/usb-dwc3-pci-skip-byt-gpio-lookup-table-for-hardwired-phy.patch
queue-5.10/serial-qcom-geni-drop-bogus-runtime-pm-state-update.patch
queue-5.10/usb-xhci-mtk-set-the-dma-max_seg_size.patch
