Home page logo

oss-sec logo oss-sec mailing list archives

Re: handling of Linux kernel vulnerabilities (was: CVE request - Linux kernel: VFAT slab-based buffer overflow)
From: Greg KH <greg () kroah com>
Date: Mon, 4 Mar 2013 10:12:53 +0800

On Mon, Mar 04, 2013 at 05:44:38AM +0400, Solar Designer wrote:
In my opinion, it'd be best if Linus, Greg, et al. would reconsider
their approach.

Reconsider just what specifically?  You bring up a bunch of issues that
the distros need to consider, what can the Linux kernel security team do
differently?  We were asked to notify the linux-distro list, and now we
will be doing that.  Should we not and just go back to how things were

Overall, I think we should bite the bullet and accept sko's
notifications to linux-distros, with a grace period of up to 7 days.
Whenever a distro is ready to release an update, they should be able to
insist on doing so within another 1 day, even if the initially planned
grace period would expire later.  Would sko be OK with this?  Greg?

Again, I don't think anyone that is part of security () kernel org minds
about having the issues publicized, after linux-distro has their time
to get things fixed and to their users.  If the linux-distro people care
about that, that does not seem to be a security () kernel org group issue,

totally confused,

greg k-h

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]