Conversation

Notices

Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Wednesday, 14-Feb-2024 06:11:03 JST Greg K-H

Linux is now a CNA: http://www.kroah.com/log/blog/2024/02/13/linux-is-a-cna/

This has taken a long time, I'd like to thank all the groups that helped, and especially the CVE group themselves. Our application was a bit different than other groups, but they understood that this is important for security overall.
In conversation Wednesday, 14-Feb-2024 06:11:03 JST from social.kernel.org permalink
Attachments
1. Domain not in remote thumbnail source whitelist: www.kroah.com
  
  Linux is a CNA
  
  As was recently announced, the Linux kernel project has been accepted as a CNA as a CVE Numbering Authority (CNA) for vulnerabilities found in Linux. This is a trend, of more open source projects taking over the half-hazard assignments of CVEs against their project by becoming a CNA so that no other group can assign CVEs without their involvment. Here’s the curl project doing much the same thing for the same reasons.
- Embed this notice
  Thorsten Leemhuis (acct. 1/4) (kernellogger@fosstodon.org)'s status on Wednesday, 14-Feb-2024 16:17:08 JST Thorsten Leemhuis (acct. 1/4)
  in reply to
  
  @gregkh
  Will also be interesting to see how many CVE will be issued it the end; it sounds like it will be a whole lot, which likely will have some interesting effects. 😬
  
  In conversation Wednesday, 14-Feb-2024 16:17:08 JST permalink
  
  Haelwenn /элвэн/ :triskell: likes this.
- Embed this notice
  Thorsten Leemhuis (acct. 1/4) (kernellogger@fosstodon.org)'s status on Wednesday, 14-Feb-2024 16:17:09 JST Thorsten Leemhuis (acct. 1/4)
  in reply to
  
  @gregkh
  Will be interesting to see how the new process[1] plays together with "participation in stable is optional for mainline developers" and the "developers almost never declare specific changes as security fixes"[2] approach I assume still holds true for mainline.
  I sounds like it could easily happen that someone fixes a security bug in mainline w/o telling anybody, so no CVE would be issued unless someone backports the change.
  [1] https://lore.kernel.org/lkml/2024021314-unwelcome-shrill-690e@gregkh/
  [2] http://kroah.com/log/blog/2018/02/05/linux-kernel-release-model/#security
  In conversation Wednesday, 14-Feb-2024 16:17:09 JST permalink
  Attachments
  1. No result found on File_thumbnail lookup.
    
    [PATCH] Documentation: Document the Linux Kernel CVE process - Greg Kroah-Hartman
  2. Domain not in remote thumbnail source whitelist: www.kroah.com
    
    Linux Kernel Release Model
    
    Note This post is based on a whitepaper I wrote at the beginning of 2016 to be used to help many different companies understand the Linux kernel release model and encourage them to start taking the LTS stable updates more often. I then used it as a basis of a presentation I gave at the Linux Recipes conference in September 2017 which can be seen here. With the recent craziness of Meltdown and Spectre , I’ve seen lots of things written about how Linux is released and how we handle handles security patches that are totally incorrect, so I figured it is time to dust off the text, update it in a few places, and publish this here for everyone to benefit from.
- Embed this notice
  Greg K-H (gregkh@social.kernel.org)'s status on Wednesday, 14-Feb-2024 16:17:56 JST Greg K-H
  in reply to
  - Thorsten Leemhuis (acct. 1/4)
  @kernellogger That's kind of a "if a tree falls in a forest and no one hears it, does it make a sound?" type of question, right?
  
  Yes, if no one tells us that a specific issue/bugfix/whatever should have a CVE, and it doesn't get backported to stable (which will automatically trigger the review for CVE assignment), then you are correct, nothing will be assigned as obviously, no one noticed it.
  
  So there is no sound :)
  
  In conversation Wednesday, 14-Feb-2024 16:17:56 JST permalink
  
  Haelwenn /элвэн/ :triskell: likes this.

Public

Conversation

Notices

Feeds