Received: by 2002:a05:7412:1e0b:b0:fc:a2b0:25d7 with SMTP id kr11csp1036190rdb; Fri, 16 Feb 2024 03:31:13 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCVCknIba4X/W1dW3pm5r+dfIEq5ELeHVbFzLFvR4X6JU1/n6ZD08JfPckIix7OQkekBiKrfq3kINBA7Zp5N8ifLjKtDXCjLK8q8iNdmCA== X-Google-Smtp-Source: AGHT+IFf0I7EFAks1Yu3bourkWA1QfSI7Gg9SNSKcz9qQ59AN1iUC5X+EXeT3wziaJwddTNm10FD X-Received: by 2002:a17:902:654d:b0:1db:96a8:492c with SMTP id d13-20020a170902654d00b001db96a8492cmr3603349pln.65.1708083073140; Fri, 16 Feb 2024 03:31:13 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708083073; cv=pass; d=google.com; s=arc-20160816; b=YduoLO2WyHgOjcSy09CNqSup94TrtpSOVxeGGGlvKQdW5gZ/F0WjIKL5491AcFlQqA jD7kKjZLAv2nn6PMllpvyPpJy6dYmAYZ/+j1kFjczHL/E/2yBSUg7UVFYfBrJWHChjYe DBgj+jS6Gms7gVNwNOiBZ3o98pUaZi5uc2yJUB856kYVhy/iD2f87EiLP6D+lcYWGSKx 9f6qTJgEuOWfOrIFHk86p+dx9Z24YM7LMOM0JnYjsKDc+cDcfIJOb6s3mROQrlVxfFu4 YInmU4b22j77NPV9Z/sPqB7bOLfWVoA+xbU7N/1oX4CntLi2aZodX34psw/5bXpiX5jB j/6g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=7CqPk8r6akZjAGs1kAx91rRd5/5sjps6einTf4tuwU4=; fh=MegolTgbrXE95LLri+qIhUr//oFpYl0PvsBCIxRMz2M=; b=UMZtI9x9QfRvo1rmClQcuFfd6bjitpb1vif3KZj4OtBiK1HJxDN+018yuEyMlmVS5T 1ZIIiVeIOxYQG/h7cMH4isCKhHcsf88Lmc0u7rYN3L235p7az5fyLXt2E3zPudePg02r G6sP9OmnyChrPf/eH93+N36PUuxHt8ryVzR36kCqWtY4ha7+KGZg+VCOuyVTh9nFPsxp tFUDHad5Phf+K4EiDY63toEpsiBcdNjpjzQih4+16Ys6/0XjuprtmT09QQK9WSjJLAT4 e5jiTNXYzd1XDheXBBTOZrzrwhAULpV+pnXtrgHQzNuvEMx9jVDnPUZvdM2ElTWCLKj1 wn1w==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ptvT6S4h; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-68517-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-68517-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id h13-20020a170902f70d00b001d94beef7c6si2913393plo.486.2024.02.16.03.31.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Feb 2024 03:31:13 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-68517-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ptvT6S4h; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-68517-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-68517-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 20DCBB21DF9 for ; Fri, 16 Feb 2024 11:25:57 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B996757313; Fri, 16 Feb 2024 11:25:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="ptvT6S4h" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D16811BF50; Fri, 16 Feb 2024 11:25:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708082749; cv=none; b=b9j0IVfxxDsqm2JMC56uy701+hxAdJPlU7hTSPMfM7HhJv9OH3rxQTG8+bHrDkWZWEZEydRhZ24n+E2eH4i3ItvYWgDRbxrFt8Xi/VLxZivXpEiwnkE54dIPmlOcfshTB7KZ+48n4n+f1hQxKsP97reJrz15MxrkihBsy/8u/Cs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708082749; c=relaxed/simple; bh=wfbfOHYhEUqJ5TM9ErRyjUT3fqX1apAxNMoim8z9BUE=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=uW5kE3lTib4fZ+PA7HhPig/Y6rBeHQDM2pqEdiFrD/AbojB/s6Al2OZx53WAWIjjbIB3BIWFxO1blVkgS3XoalMIds8o90JbpOSu3LXaTnITxLTQfy5S+dw2HNlOi/GqzuiXxGzRS5rD/GMp+Hg10hePOeum9Nx2v4gRma8qwHo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=ptvT6S4h; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id C25C7C433A6; Fri, 16 Feb 2024 11:25:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1708082749; bh=wfbfOHYhEUqJ5TM9ErRyjUT3fqX1apAxNMoim8z9BUE=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=ptvT6S4hmck8T7DfBXRWhMMZxiHU57Z8VJqMdWvNXkfKaME3DHHbwj4VIdDOdWZ0C Jf57sH9v4pUaq+j3IgTU9q9aptsU3j80t4C/XSPPw46JeBwy4gsuORjAcb+3YUg07e MIzmcBxJ9ZGrFcmKjdb0IewJG5kkqec/lSLTqzEQ= Date: Fri, 16 Feb 2024 12:25:46 +0100 From: Greg Kroah-Hartman To: Michal Hocko Cc: corbet@lwn.net, workflows@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, security@kernel.org, Kees Cook , Sasha Levin , Lee Jones Subject: Re: [PATCH v3] Documentation: Document the Linux Kernel CVE process Message-ID: <2024021646-procedure-faceted-ea87@gregkh> References: <2024021430-blanching-spotter-c7c8@gregkh> <2024021518-stature-frightful-e7fc@gregkh> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Thu, Feb 15, 2024 at 07:36:20PM +0100, Michal Hocko wrote: > On Thu 15-02-24 19:20:09, Greg KH wrote: > > On Thu, Feb 15, 2024 at 06:54:17PM +0100, Michal Hocko wrote: > > > On Wed 14-02-24 09:00:30, Greg KH wrote: > > > [...] > > > > +Process > > > > +------- > > > > + > > > > +As part of the normal stable release process, kernel changes that are > > > > +potentially security issues are identified by the developers responsible > > > > +for CVE number assignments and have CVE numbers automatically assigned > > > > +to them. These assignments are published on the linux-cve-announce > > > > +mailing list as announcements on a frequent basis. > > > > + > > > > +Note, due to the layer at which the Linux kernel is in a system, almost > > > > +any bug might be exploitable to compromise the security of the kernel, > > > > +but the possibility of exploitation is often not evident when the bug is > > > > +fixed. Because of this, the CVE assignment team is overly cautious and > > > > +assign CVE numbers to any bugfix that they identify. This > > > > +explains the seemingly large number of CVEs that are issued by the Linux > > > > +kernel team. > > > > > > Does the process focus only on assigning CVE numbers to a given upstream > > > commit(s) withou any specifics of the actual security threat covered by > > > the said CVE? > > > > Outside of the git commit text, no, we are not going to be adding > > anything additional to the report, UNLESS someone wants to add > > additional text to it, and then we will be glad to update a CVE entry > > with the additional information. > > OK, so what is the point of having CVE assigned to such a commit without > any addional information which is already referenced by the kernel sha? > What is the actual added value of that CVE? It provides the proper signal to others that "hey, this is a vulnerability that you might want to take if it affects you". Right now we are fixing lots and lots of things and no one notices as their "traditional" path of only looking at CVEs for the kernel is totally incorrect. > > Here's an example of what the CVE announcement is going to look like for > > a "test" that we have been doing for our scripts > > https://lore.kernel.org/linux-cve-announce/2024021353-drainage-unstuffed-a7c0@gregkh/T/#u > > Thanks this gave me some idea. One worrying part is > : Please note that only supported kernel versions have fixes applied to > : them. For a full list of currently supported kernel versions, please > : see https://www.kernel.org/ > > >From the above it is not really clear "supported by _whom_". Because I > am pretty sure there are _fully_ supported kernels outside of that list > which are actively maintained. Very true, how about this wording change: For a full list of currently supported kernel versions by the kernel developer community, please see https://www.kernel.org/ I added "by the kernel developer community", is that ok? And as you're here, I have no objection to adding the vulnerable/fixes info from various distros that are curently based on these same kernel.org versions if you wish to provide them to me. Give us a few more days to nail down the version reporting format and then take a look at it to see if you all can tie into that. thanks, greg k-h