Re: [PATCH RFC 6.6.y 00/15] Some missing CVE fixes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue 2024-10-08 13:24:05, Greg Kroah-Hartman wrote:
> On Tue, Oct 08, 2024 at 01:16:28PM +0200, Pavel Machek wrote:
> > On Wed 2024-10-02 09:26:46, Jens Axboe wrote:
> > > On 10/2/24 9:05 AM, Vegard Nossum wrote:
> > > > Christophe JAILLET (1):
> > > >   null_blk: Remove usage of the deprecated ida_simple_xx() API
> > > > 
> > > > Yu Kuai (1):
> > > >   null_blk: fix null-ptr-dereference while configuring 'power' and
> > > >     'submit_queues'
> > > 
> > > I don't see how either of these are CVEs? Obviously not a problem to
> > > backport either of them to stable, but I wonder what the reasoning for
> > > that is. IOW, feels like those CVEs are bogus, which I guess is hardly
> > > surprising :-)
> > 
> > "CVE" has become meaningless for kernel. Greg simply assigns CVE to
> > anything that remotely resembles a bug.
> 
> Stop spreading nonsense.  We are following the cve.org rules with
> regards to assigning vulnerabilities to their definition.

Stop attacking me.

> And yes, many bugs at this level (turns out about 25% of all stable
> commits) match that definition, which is fine.  If you have a problem
> with this, please take it up with cve.org and their rules, but don't go
> making stuff up please.

You are assigning CVE for any bug. No, it is not fine, and while CVE
rules may permit you to do that, it is unhelpful, because the CVE feed
became useless.

(And yes, some people are trying to mitigate damage you are doing by
disputing worst offenders, and process shows that quite often CVEs get
assigned when they should not have been.)

And yes, I have problem with that.

Just because you are not breaking cve.org rules does not mean you are
doing good thing. (And yes, probably cve.org rules should be fixed.)

								Pavel
-- 
DENX Software Engineering GmbH,        Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux