On Sat, May 30, 2015 at 12:36:19AM +0300, Henri Salo wrote: > Please correct me if I am wrong somewhere in this email. I just want to > understand why you said this. > > On Tue, May 26, 2015 at 07:52:47AM -0700, Greg KH wrote: > > For a 2 year old bugfix? > > Age does not matter for CVE assigment as far as I can tell. Sweet, who is going to go and start asking for CVEs for all bugs that we have fixed in the past 10 years in the Linux kernel? Should I just to flood the list of CVEs and see if people's tools can really handle the extra number problem when parsing them? :) What good would it be to do such a thing? > > I know you all like to try to track bugs for old and obsolete products, > > but really, there's no end of CVEs you could request if you wish to do > > this. Heck, I could start asking for multiple CVEs for every single > > stable kernel release I do, which would just be pointless. > > Please just mark this as a "oh look, a bug was fixed years ago and we > > need to backport it because we have old kernels out in the wild and our > > customers don't like to upgrade" type issue. > > Don't force CVEs to play by the odd enterprise rules that you all wish > > perpetuate. > > CVE is defined as "common identifiers for publicly known information-security > vulnerabilities in publicly released software packages". > > How is it pointless to request CVE identifier for security issue in kernel or > other software if that software is released and used by some distro or other > entity? How do you calculate how many users are using some kernel if it is > released in public website? Please note that this might be easier for kernel > than some other software like web-application project in GitHub. The issue is, where do you draw the line? I know systems still using 2.x kernels, in supported configurations. Those were released a very long time ago, do we assign CVEs for bugs fixed from the past 10 years till 5 years ago just to make it easy for the company that is maintaining that kernel to justify to their customers the reason they should be updating their kernels? And that's it, it's not a "we need to track this", for such old bugs (and by "old" I would classify anything older than a year for the kernel as old, as that's hundreds of thousands of patches ago)? It's the job of companies that insist on using such old software, to maintain and keep them up to date, it's not the job of the "community" here to have to deal with assigning issues to things that are really old and already fixed. > One reason I could think of for not requesting CVEs for issues is that it > creates workload to MITRE or other CNA (and in some cases users of CVE when they > are tracking issues). If that is the case could you or MITRE tell me where > should that line be drawn? It's not up to me to tell other people what to work on or spend resources on. If MITRE wishes to track things in really old releases, that's their business. But from a community point of view, that seems foolish and wasteful as the only thing you are catering to here are people who somehow only wish to update if they see a "CVE" number assigned to that update. And that's the issue here I think. Otherwise, why ask for CVEs for old releases that no one in the community is supporting anymore? What good is it for except for the customers of the companies that wish to do that support for them? > Or if this is not the case do you mean that "vulnerability in the kernel tty > subsystem" is not critical enough for CVE? If that is the case how is that > calculated? As the maintainer of the tty subsystem, I'm not going to judge what is and what is not "critical enough" for a CVE, as I personally think the whole thing is a joke for old bugs like this. Maybe for newly found things, it makes sense to be able to track across releases what has and what has not been applied. But when it comes to older things like this, I seriously fail to see the point. > Or even "vulnerability in the kernel tty subsystem" is not a security issue? Define "vulnerability"? :) We fix things that cause kernel crashes every single day. Do you see us asking for CVEs for everyone of those? No, because that would be foolish. Although, it would point out the foolishness of the whole system if I were to start doing that. Call it "performance art", that might be fun to do for a few months if for no other reason than to enjoy the show :) tl;dr I feel that CVEs for old kernels / releases that are not being maintained by the upstream project, and have been fixed for a long time in those upstream maintained releases, are pointless. thanks, greg k-h