Re: using vulnerability ids in patches

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kalle Valo <kvalo@codeaurora.org>
To: Arend van Spriel <arend.vanspriel@broadcom.com>
Cc: linux-wireless <linux-wireless@vger.kernel.org>
Subject: Re: using vulnerability ids in patches
Date: Thu, 07 Sep 2017 15:34:52 +0300	[thread overview]
Message-ID: <87bmmmn0ur.fsf@kamboji.qca.qualcomm.com> (raw)
In-Reply-To: <7415a11b-398c-69df-b39f-7b985f07112b@broadcom.com> (Arend van Spriel's message of "Thu, 7 Sep 2017 10:40:41 +0200")

Arend van Spriel <arend.vanspriel@broadcom.com> writes:

> Due to recent events we were asked about some vulnerability fixes for
> brcmfmac. We already fixed a couple of things without referring to a
> so-called CVE-ID, which is what people are asking for. Do we have a
> upstream policy on that? I could not really find anything in the
> Documentation folder (but I may have overlooked it). Might be worth
> mentioning in the commit message like with the coverity ids.

Johannes already answered, but I'll just add that this is all I know
about security patches:

  If you have a patch that fixes an exploitable security bug, send that
  patch to security@kernel.org. For severe bugs, a short embargo may be
  considered to allow distributors to get the patch out to users; in
  such cases, obviously, the patch should not be sent to any public
  lists.

  https://www.kernel.org/doc/html/latest/process/submitting-patches.html

I don't know if you should follow that in this case or not, just wanted
to point out this.

-- 
Kalle Valo

next prev parent reply	other threads:[~2017-09-07 12:34 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-09-07  8:40 using vulnerability ids in patches Arend van Spriel
2017-09-07  8:59 ` Johannes Berg
2017-09-07  9:28   ` Arend van Spriel
2017-09-07  9:38   ` Arend van Spriel
2017-09-07  9:40     ` Johannes Berg
2017-09-07  9:59       ` Arend van Spriel
2017-09-07 12:34 ` Kalle Valo [this message]
2017-09-07 19:55   ` Arend van Spriel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87bmmmn0ur.fsf@kamboji.qca.qualcomm.com \
    --to=kvalo@codeaurora.org \
    --cc=arend.vanspriel@broadcom.com \
    --cc=linux-wireless@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.