mailing list archives
Re: CVE abstraction choices and the Linux kernel
From: Michael Gilbert <mgilbert () debian org>
Date: Thu, 14 Mar 2013 21:18:45 -0400
On Fri, Mar 8, 2013 at 9:57 AM, Steven M. Christey wrote:
Considering the Krause kernel info-leaks as an example, this might
suggest about 11 CVEs for crypto, xfrm_user, net (including net/tun),
ipvs, dccp, llc, l2tp, Bluetooth, atm, udf, and isofs. There might
be additional SPLITs based on bug type.
What do people think? To the distro maintainers: given that CVE
cannot support per-bug IDs for the reasons I've already described,
are per-subsystem SPLITs workable?
Speaking only for myself, I think this is a quite reasonable way to draw a line.