* using vulnerability ids in patches
@ 2017-09-07 8:40 Arend van Spriel
2017-09-07 8:59 ` Johannes Berg
2017-09-07 12:34 ` Kalle Valo
0 siblings, 2 replies; 8+ messages in thread
From: Arend van Spriel @ 2017-09-07 8:40 UTC (permalink / raw)
To: Kalle Valo; +Cc: linux-wireless
Hi Kalle,
Due to recent events we were asked about some vulnerability fixes for
brcmfmac. We already fixed a couple of things without referring to a
so-called CVE-ID, which is what people are asking for. Do we have a
upstream policy on that? I could not really find anything in the
Documentation folder (but I may have overlooked it). Might be worth
mentioning in the commit message like with the coverity ids.
Regards,
Arend
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: using vulnerability ids in patches
2017-09-07 8:40 using vulnerability ids in patches Arend van Spriel
@ 2017-09-07 8:59 ` Johannes Berg
2017-09-07 9:28 ` Arend van Spriel
2017-09-07 9:38 ` Arend van Spriel
2017-09-07 12:34 ` Kalle Valo
1 sibling, 2 replies; 8+ messages in thread
From: Johannes Berg @ 2017-09-07 8:59 UTC (permalink / raw)
To: Arend van Spriel, Kalle Valo; +Cc: linux-wireless
On Thu, 2017-09-07 at 10:40 +0200, Arend van Spriel wrote:
> Hi Kalle,
>
> Due to recent events we were asked about some vulnerability fixes
> for
> brcmfmac. We already fixed a couple of things without referring to a
> so-called CVE-ID, which is what people are asking for. Do we have a
> upstream policy on that? I could not really find anything in the
> Documentation folder (but I may have overlooked it). Might be worth
> mentioning in the commit message like with the coverity ids.
Sure.
git log --grep "CVE-"
shows it being done frequently.
johannes
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: using vulnerability ids in patches
2017-09-07 8:59 ` Johannes Berg
@ 2017-09-07 9:28 ` Arend van Spriel
2017-09-07 9:38 ` Arend van Spriel
1 sibling, 0 replies; 8+ messages in thread
From: Arend van Spriel @ 2017-09-07 9:28 UTC (permalink / raw)
To: Johannes Berg, Kalle Valo; +Cc: linux-wireless
On 07-09-17 10:59, Johannes Berg wrote:
> On Thu, 2017-09-07 at 10:40 +0200, Arend van Spriel wrote:
>> Hi Kalle,
>>
>> Due to recent events we were asked about some vulnerability fixes
>> for
>> brcmfmac. We already fixed a couple of things without referring to a
>> so-called CVE-ID, which is what people are asking for. Do we have a
>> upstream policy on that? I could not really find anything in the
>> Documentation folder (but I may have overlooked it). Might be worth
>> mentioning in the commit message like with the coverity ids.
>
> Sure.
>
> git log --grep "CVE-"
>
> shows it being done frequently.
Right. Failed to do the obvious ;-)
Thanks,
Arend
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: using vulnerability ids in patches
2017-09-07 8:59 ` Johannes Berg
2017-09-07 9:28 ` Arend van Spriel
@ 2017-09-07 9:38 ` Arend van Spriel
2017-09-07 9:40 ` Johannes Berg
1 sibling, 1 reply; 8+ messages in thread
From: Arend van Spriel @ 2017-09-07 9:38 UTC (permalink / raw)
To: Johannes Berg, Kalle Valo; +Cc: linux-wireless
On 07-09-17 10:59, Johannes Berg wrote:
> On Thu, 2017-09-07 at 10:40 +0200, Arend van Spriel wrote:
>> Hi Kalle,
>>
>> Due to recent events we were asked about some vulnerability fixes
>> for
>> brcmfmac. We already fixed a couple of things without referring to a
>> so-called CVE-ID, which is what people are asking for. Do we have a
>> upstream policy on that? I could not really find anything in the
>> Documentation folder (but I may have overlooked it). Might be worth
>> mentioning in the commit message like with the coverity ids.
>
> Sure.
>
> git log --grep "CVE-"
>
> shows it being done frequently.
Ok. So doing this I see a number of instances where the CVE-ID is
mentioned in the commit message, but there are also instances that use
the 'Fixes:' tag. Does it make sense to use that or does it serve
another purpose?
Regards,
Arend
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: using vulnerability ids in patches
2017-09-07 9:38 ` Arend van Spriel
@ 2017-09-07 9:40 ` Johannes Berg
2017-09-07 9:59 ` Arend van Spriel
0 siblings, 1 reply; 8+ messages in thread
From: Johannes Berg @ 2017-09-07 9:40 UTC (permalink / raw)
To: Arend van Spriel, Kalle Valo; +Cc: linux-wireless
On Thu, 2017-09-07 at 11:38 +0200, Arend van Spriel wrote:
>
> Ok. So doing this I see a number of instances where the CVE-ID is
> mentioned in the commit message, but there are also instances that
> use the 'Fixes:' tag. Does it make sense to use that or does it
> serve another purpose?
Huh, I don't think that makes sense - the Fixes: tag should be for the
commit that introduced the bug. I guess parsers will have to ignore
garbage so it's probably safe, but I don't think you could mine for CVE
fixes that way anyway ...
johannes
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: using vulnerability ids in patches
2017-09-07 9:40 ` Johannes Berg
@ 2017-09-07 9:59 ` Arend van Spriel
0 siblings, 0 replies; 8+ messages in thread
From: Arend van Spriel @ 2017-09-07 9:59 UTC (permalink / raw)
To: Johannes Berg, Kalle Valo; +Cc: linux-wireless
On 07-09-17 11:40, Johannes Berg wrote:
> On Thu, 2017-09-07 at 11:38 +0200, Arend van Spriel wrote:
>>
>> Ok. So doing this I see a number of instances where the CVE-ID is
>> mentioned in the commit message, but there are also instances that
>> use the 'Fixes:' tag. Does it make sense to use that or does it
>> serve another purpose?
>
> Huh, I don't think that makes sense - the Fixes: tag should be for the
> commit that introduced the bug. I guess parsers will have to ignore
> garbage so it's probably safe, but I don't think you could mine for CVE
> fixes that way anyway ...
Indeed. I see a lot of different ways in which the CVE-IDs are
referenced, which makes mining for a list of CVE-IDs between releases
hard. Seems like a useful thing to have though, but people may grow
tired of all the different tags :-p
Regards,
Arend
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: using vulnerability ids in patches
2017-09-07 8:40 using vulnerability ids in patches Arend van Spriel
2017-09-07 8:59 ` Johannes Berg
@ 2017-09-07 12:34 ` Kalle Valo
2017-09-07 19:55 ` Arend van Spriel
1 sibling, 1 reply; 8+ messages in thread
From: Kalle Valo @ 2017-09-07 12:34 UTC (permalink / raw)
To: Arend van Spriel; +Cc: linux-wireless
Arend van Spriel <arend.vanspriel@broadcom.com> writes:
> Due to recent events we were asked about some vulnerability fixes for
> brcmfmac. We already fixed a couple of things without referring to a
> so-called CVE-ID, which is what people are asking for. Do we have a
> upstream policy on that? I could not really find anything in the
> Documentation folder (but I may have overlooked it). Might be worth
> mentioning in the commit message like with the coverity ids.
Johannes already answered, but I'll just add that this is all I know
about security patches:
If you have a patch that fixes an exploitable security bug, send that
patch to security@kernel.org. For severe bugs, a short embargo may be
considered to allow distributors to get the patch out to users; in
such cases, obviously, the patch should not be sent to any public
lists.
https://www.kernel.org/doc/html/latest/process/submitting-patches.html
I don't know if you should follow that in this case or not, just wanted
to point out this.
--
Kalle Valo
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: using vulnerability ids in patches
2017-09-07 12:34 ` Kalle Valo
@ 2017-09-07 19:55 ` Arend van Spriel
0 siblings, 0 replies; 8+ messages in thread
From: Arend van Spriel @ 2017-09-07 19:55 UTC (permalink / raw)
To: Kalle Valo; +Cc: linux-wireless
On 07-09-17 14:34, Kalle Valo wrote:
> Arend van Spriel <arend.vanspriel@broadcom.com> writes:
>
>> Due to recent events we were asked about some vulnerability fixes for
>> brcmfmac. We already fixed a couple of things without referring to a
>> so-called CVE-ID, which is what people are asking for. Do we have a
>> upstream policy on that? I could not really find anything in the
>> Documentation folder (but I may have overlooked it). Might be worth
>> mentioning in the commit message like with the coverity ids.
>
> Johannes already answered, but I'll just add that this is all I know
> about security patches:
>
> If you have a patch that fixes an exploitable security bug, send that
> patch to security@kernel.org. For severe bugs, a short embargo may be
> considered to allow distributors to get the patch out to users; in
> such cases, obviously, the patch should not be sent to any public
> lists.
>
> https://www.kernel.org/doc/html/latest/process/submitting-patches.html
>
> I don't know if you should follow that in this case or not, just wanted
> to point out this.
I see. I thought security@kernel.org was just to report exploitable
security bugs. Thanks for the pointer.
Regards,
Arend
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2017-09-07 19:55 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-09-07 8:40 using vulnerability ids in patches Arend van Spriel
2017-09-07 8:59 ` Johannes Berg
2017-09-07 9:28 ` Arend van Spriel
2017-09-07 9:38 ` Arend van Spriel
2017-09-07 9:40 ` Johannes Berg
2017-09-07 9:59 ` Arend van Spriel
2017-09-07 12:34 ` Kalle Valo
2017-09-07 19:55 ` Arend van Spriel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox