On Tue, Jun 4, 2019 at 12:52 AM Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
>
> On Mon, Jun 03, 2019 at 10:31:15AM -0700, Zubin Mithra wrote:
> > Hello,
> >
> > CVE-2019-12378 was fixed in the upstream linux kernel with the following commit.
> > * 95baa60a0da8 ("ipv6_sockglue: Fix a missing-check bug in ip6_ra_control()")
>
> A CVE was created for that tiny thing?
>
> Hah, no, I think I'll refuse to apply it just for the very point of it.
We don't create CVEs, but we do have to get CVE fixes applied to our
branches. We don't try to police the creation of CVEs, and we don't
try to double-guess them since that would be futile (who guarantees
that our double-guessing matches yours ?). We do have a policy to not
apply CVEs directly but ask for stable tree merges instead to avoid
deviation, and we (more specifically, Zubin) spend a lot of time
validating the fixes before sending a request. I just made that
official policy, but a policy is not cast in stone. We will stop doing
that if we get this kind of response. If that is what you want, let me
know.
Zubin, maybe hold back with -stable backport requests for the time
being, and just apply missing patches directly to our branches. Sorry
for the trouble.
> That's something that can not be triggered by normal operations, right?
> It's a bugfix-for-the-theoritical from what I can see...
>
> > Could the patch be applied to v4.19.y, v4.14.y, v4.9.y and v4.4.y?
>
> Why are you ignoring 5.1?
>
Probably because no one is perfect.
Thanks,
Guenter
> thanks,
>
> greg k-h
