Re: [PATCH v4] Documentation: Document the Linux Kernel CVE process

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Feb 15, 2024 at 06:38:05PM +0100, Jiri Kosina wrote:
> On Thu, 15 Feb 2024, Greg Kroah-Hartman wrote:
> 
> > The Linux kernel project now has the ability to assign CVEs to fixed
> > issues, so document the process and how individual developers can get a
> > CVE if one is not automatically assigned for their fixes.
> 
> There is still one thing that's not clear to me with this new process, and 
> that's how embargos are going to be handled.
> 
> Currently, the process is broken as well, but at least understood by 
> everybody.
> 
> - issues are reported to security@xxxxxxxxxx. No CVE assigned, 7days 
>   embargo, then fix gets pushed out
> 
> - at some point (in parallel, before, or after the above), the issue gets 
>   reported to linux-distros@. CVE gets assigned, and downstreams start 
>   integrating the fix (once available) to their codebase.

linux-distros is not allowed to assign a CVE id for a Linux kernel fix,
so this will not happen here anymore.  They HAVE to contact
cve@xxxxxxxxxx in order to do this as no one else is allowed to create a
CVE entry for Linux unless some very extreem things happen that I do not
plan on ever having happen to us (see the CNA rules for details.)

> - embargo is lifted, fixes are released with proper CVE reference
> 
> How is the new process going to look like? Please keep in mind that 
> linux-stable is (by far!) *not* the only downstream of Linux Kernel 
> project.

I agree, and again, linux-distros will not be assigning CVEs for issues
that affect the currently supported kernels as listed on kernel.org, nor
will any other group, so this shouldn't be an issue as we can coordinate
properly if the above senario happens.

> We've had this discussion in other contexts already, but I whole-heartedly 
> believe that it's in no way in the Linux Kernel project's interest to kill 
> those other downstreams (read: Linux distros) (*) ... or is it?

I have no interest in doing anything about linux-distros, just that they
are not allowed to assign a new CVE for Linux anymore as of Tuesday this
week, and neither is any other CNA, just like they are not allowed to
assign a CVE for Windows today, no difference at all.

thanks,

greg k-h
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux