[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousb
From:       "Maier, Kurt H" <kurt.maier () pnnl ! gov>
Date:       2017-11-07 20:30:05
Message-ID: 1510086603.29942.2.camel () pnnl ! gov
[Download RAW message or body]

On Tue, 2017-11-07 at 21:22 +0100, Greg KH wrote:
> 
> I hate to ask, but why are you getting CVEs for bugs fixed over a
> year
> ago, and are already in all stable kernel releases a year ago?  Why
> does
> it matter?
> 
> Unless you happen to have a product that doesn't ever do kernel
> updates
> from the stable trees, and well, then you know what you are doing and
> don't need CVEs assigned either, right?  :)
> 

Kernel maintainers' policy is clear, and nobody is asking for that to
change, but please don't sandbag the process of keeping track of
vulnerabilities.  The fraction of "products" (regardless of vendor)
that run linux and never get updates approaches unity.  Being able to
precisely catalog which linux releases suffer from which
vulnerabilities is useful to many.

khm=
[prev in list] [next in list] [prev in thread] [next in thread]