From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Pavel Machek <pavel@denx.de>
Cc: Jens Axboe <axboe@kernel.dk>,
Vegard Nossum <vegard.nossum@oracle.com>,
stable@vger.kernel.org, cengiz.can@canonical.com,
mheyne@amazon.de, mngyadam@amazon.com, kuntal.nayak@broadcom.com,
ajay.kaher@broadcom.com, zsm@chromium.org,
dan.carpenter@linaro.org, shivani.agarwal@broadcom.com,
ahalaney@redhat.com, alsi@bang-olufsen.dk, ardb@kernel.org,
benjamin.gaignard@collabora.com, bli@bang-olufsen.dk,
chengzhihao1@huawei.com, christophe.jaillet@wanadoo.fr,
ebiggers@kernel.org, edumazet@google.com,
fancer.lancer@gmail.com, florian.fainelli@broadcom.com,
harshit.m.mogalapalli@oracle.com, hdegoede@redhat.com,
horms@kernel.org, hverkuil-cisco@xs4all.nl,
ilpo.jarvinen@linux.intel.com, jgg@nvidia.com,
kevin.tian@intel.com, kirill.shutemov@linux.intel.com,
kuba@kernel.org, luiz.von.dentz@intel.com,
md.iqbal.hossain@intel.com, mpearson-lenovo@squebb.ca,
nicolinc@nvidia.com, pablo@netfilter.org, rfoss@kernel.org,
richard@nod.at, tfiga@chromium.org, vladimir.oltean@nxp.com,
xiaolei.wang@windriver.com, yanjun.zhu@linux.dev,
yi.zhang@redhat.com, yu.c.chen@intel.com, yukuai3@huawei.com
Subject: Re: [PATCH RFC 6.6.y 00/15] Some missing CVE fixes
Date: Tue, 8 Oct 2024 15:02:45 +0200 [thread overview]
Message-ID: <2024100854-crushing-catwalk-922c@gregkh> (raw)
In-Reply-To: <ZwUml+OpEzrZNTRZ@duo.ucw.cz>
On Tue, Oct 08, 2024 at 02:33:27PM +0200, Pavel Machek wrote:
> Hi!
>
> > > > And yes, many bugs at this level (turns out about 25% of all stable
> > > > commits) match that definition, which is fine. If you have a problem
> > > > with this, please take it up with cve.org and their rules, but don't go
> > > > making stuff up please.
> > >
> > > You are assigning CVE for any bug. No, it is not fine, and while CVE
> > > rules may permit you to do that, it is unhelpful, because the CVE feed
> > > became useless.
> >
> > Their rules _REQUIRE_ us to do this. Please realize this.
>
> If you said that limited manpower makes you do this, that would be
> something to consider. Can you quote those rules?
The rules are that we have to assign a CVE id to every vulnerability
that has been fixed in Linux. The defintion of "vulnerability" is
defined by them (note, it does NOT include data loss, go figure...)
> I'd expect vulnerability description to be in english, not part of
> english text and part copy/paste from changelog. I'd also expect
> vulnerability description ... to ... well, describe the
> vulnerability. While changelogs describe fix being made, not the
> vulnerability.
If you object to _how_ we write the text, wonderful, please send us
updated texts for any/all CVE ids and we will be glad to update them.
But for now, we are taking them directly from the changelog which is
sufficient so far.
> Some even explain why the bug being fixed is not vulnerability at all,
> like this one. (Not even bug, to be exact. It is workaround for static
> checker).
>
> I don't believe the rules are solely responsible for this.
Again, you are conflating the fact that you don't like what we
currently put in the changlog with something you said earlier that was
totally different (i.e. we were assigning cve ids for things that did
not deserve them.)
Moving the goal-posts is fun in a discussion, but not something I have
time for here, sorry.
> > > (And yes, some people are trying to mitigate damage you are doing by
> > > disputing worst offenders, and process shows that quite often CVEs get
> > > assigned when they should not have been.)
> >
> > Mistakes happen, we revoke them when asked, that's all we can do and
> > it's worlds better than before when you could not revoke anything and
> > anyone could, and would, assign random CVEs for the kernel with no way
> > to change that.
>
> Yes, way too many mistakes happen. And no, it is not an improvement
> over previous situation.
Based on many discussions I have had with many companies and users over
the past months, they all seem to disagree with you, which is fine, we
always know we can't please everyone.
greg k-h
next prev parent reply other threads:[~2024-10-08 13:30 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-02 15:05 [PATCH RFC 6.6.y 00/15] Some missing CVE fixes Vegard Nossum
2024-10-02 15:05 ` [PATCH RFC 6.6.y 01/15] ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path Vegard Nossum
2024-10-02 16:26 ` Dan Carpenter
2024-10-02 16:29 ` Dan Carpenter
2024-10-05 0:45 ` Sasha Levin
2024-10-02 15:05 ` [PATCH RFC 6.6.y 02/15] media: usbtv: Remove useless locks in usbtv_video_free() Vegard Nossum
2024-10-02 15:05 ` [PATCH RFC 6.6.y 03/15] Bluetooth: hci_sock: Fix not validating setsockopt user input Vegard Nossum
2024-10-02 15:05 ` [PATCH RFC 6.6.y 04/15] Bluetooth: ISO: " Vegard Nossum
2024-10-02 15:05 ` [PATCH RFC 6.6.y 05/15] Bluetooth: L2CAP: " Vegard Nossum
2024-10-02 15:05 ` [PATCH RFC 6.6.y 06/15] netfilter: nf_tables: fix memleak in map from abort path Vegard Nossum
2024-10-02 15:05 ` [PATCH RFC 6.6.y 07/15] netfilter: nf_tables: restore set elements when delete set fails Vegard Nossum
2024-10-02 15:05 ` [PATCH RFC 6.6.y 08/15] net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events Vegard Nossum
2024-10-02 15:06 ` [PATCH RFC 6.6.y 09/15] iommufd: Fix protection fault in iommufd_test_syz_conv_iova Vegard Nossum
2024-10-02 15:16 ` Jason Gunthorpe
2024-10-02 15:06 ` [PATCH RFC 6.6.y 10/15] drm/bridge: adv7511: fix crash on irq during probe Vegard Nossum
2024-10-02 15:12 ` [PATCH RFC 6.6.y 11/15] efi/unaccepted: touch soft lockup during memory accept Vegard Nossum
2024-10-02 15:12 ` [PATCH RFC 6.6.y 12/15] platform/x86: think-lmi: Fix password opcode ordering for workstations Vegard Nossum
2024-10-04 1:00 ` Mark Pearson
2024-10-02 15:12 ` [PATCH RFC 6.6.y 13/15] null_blk: Remove usage of the deprecated ida_simple_xx() API Vegard Nossum
2024-10-02 15:12 ` [PATCH RFC 6.6.y 14/15] null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues' Vegard Nossum
2024-10-02 15:12 ` [PATCH RFC 6.6.y 15/15] net: stmmac: move the EST lock to struct stmmac_priv Vegard Nossum
2024-10-02 15:26 ` [PATCH RFC 6.6.y 00/15] Some missing CVE fixes Jens Axboe
2024-10-02 15:46 ` Vegard Nossum
2024-10-02 15:49 ` Jens Axboe
2024-10-08 11:19 ` Pavel Machek
2024-10-08 11:24 ` Greg Kroah-Hartman
2024-10-08 11:40 ` Pavel Machek
2024-10-08 11:51 ` Greg Kroah-Hartman
2024-10-02 15:50 ` Dan Carpenter
2024-10-02 15:54 ` Jens Axboe
2024-10-08 11:16 ` Pavel Machek
2024-10-08 11:24 ` Greg Kroah-Hartman
2024-10-08 11:35 ` Pavel Machek
2024-10-08 11:44 ` Greg Kroah-Hartman
2024-10-08 11:56 ` Christian Heusel
2024-10-08 12:33 ` Pavel Machek
2024-10-08 13:02 ` Greg Kroah-Hartman [this message]
2024-10-02 19:43 ` Pablo Neira Ayuso
2024-10-08 10:32 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2024100854-crushing-catwalk-922c@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=ahalaney@redhat.com \
--cc=ajay.kaher@broadcom.com \
--cc=alsi@bang-olufsen.dk \
--cc=ardb@kernel.org \
--cc=axboe@kernel.dk \
--cc=benjamin.gaignard@collabora.com \
--cc=bli@bang-olufsen.dk \
--cc=cengiz.can@canonical.com \
--cc=chengzhihao1@huawei.com \
--cc=christophe.jaillet@wanadoo.fr \
--cc=dan.carpenter@linaro.org \
--cc=ebiggers@kernel.org \
--cc=edumazet@google.com \
--cc=fancer.lancer@gmail.com \
--cc=florian.fainelli@broadcom.com \
--cc=harshit.m.mogalapalli@oracle.com \
--cc=hdegoede@redhat.com \
--cc=horms@kernel.org \
--cc=hverkuil-cisco@xs4all.nl \
--cc=ilpo.jarvinen@linux.intel.com \
--cc=jgg@nvidia.com \
--cc=kevin.tian@intel.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=kuba@kernel.org \
--cc=kuntal.nayak@broadcom.com \
--cc=luiz.von.dentz@intel.com \
--cc=md.iqbal.hossain@intel.com \
--cc=mheyne@amazon.de \
--cc=mngyadam@amazon.com \
--cc=mpearson-lenovo@squebb.ca \
--cc=nicolinc@nvidia.com \
--cc=pablo@netfilter.org \
--cc=pavel@denx.de \
--cc=rfoss@kernel.org \
--cc=richard@nod.at \
--cc=shivani.agarwal@broadcom.com \
--cc=stable@vger.kernel.org \
--cc=tfiga@chromium.org \
--cc=vegard.nossum@oracle.com \
--cc=vladimir.oltean@nxp.com \
--cc=xiaolei.wang@windriver.com \
--cc=yanjun.zhu@linux.dev \
--cc=yi.zhang@redhat.com \
--cc=yu.c.chen@intel.com \
--cc=yukuai3@huawei.com \
--cc=zsm@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox