On Thu 15-02-24 19:20:09, Greg KH wrote: > On Thu, Feb 15, 2024 at 06:54:17PM +0100, Michal Hocko wrote: > > On Wed 14-02-24 09:00:30, Greg KH wrote: > > [...] > > > +Process > > > +------- > > > + > > > +As part of the normal stable release process, kernel changes that are > > > +potentially security issues are identified by the developers responsible > > > +for CVE number assignments and have CVE numbers automatically assigned > > > +to them. These assignments are published on the linux-cve-announce > > > +mailing list as announcements on a frequent basis. > > > + > > > +Note, due to the layer at which the Linux kernel is in a system, almost > > > +any bug might be exploitable to compromise the security of the kernel, > > > +but the possibility of exploitation is often not evident when the bug is > > > +fixed. Because of this, the CVE assignment team is overly cautious and > > > +assign CVE numbers to any bugfix that they identify. This > > > +explains the seemingly large number of CVEs that are issued by the Linux > > > +kernel team. > > > > Does the process focus only on assigning CVE numbers to a given upstream > > commit(s) withou any specifics of the actual security threat covered by > > the said CVE? > > Outside of the git commit text, no, we are not going to be adding > anything additional to the report, UNLESS someone wants to add > additional text to it, and then we will be glad to update a CVE entry > with the additional information. OK, so what is the point of having CVE assigned to such a commit without any addional information which is already referenced by the kernel sha? What is the actual added value of that CVE? > Here's an example of what the CVE announcement is going to look like for > a "test" that we have been doing for our scripts > https://lore.kernel.org/linux-cve-announce/2024021353-drainage-unstuffed-a7c0@gregkh/T/#u Thanks this gave me some idea. One worrying part is : Please note that only supported kernel versions have fixes applied to : them. For a full list of currently supported kernel versions, please : see https://www.kernel.org/ >From the above it is not really clear "supported by _whom_". Because I am pretty sure there are _fully_ supported kernels outside of that list which are actively maintained. -- Michal Hocko SUSE Labs
