[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2017-15102: Linux kernel: usb: NULL-deref due to a race condition in [legousb
From:       Vladis Dronov <vdronov () redhat ! com>
Date:       2017-11-13 15:07:00
Message-ID: 640892254.31427608.1510585620318.JavaMail.zimbra () redhat ! com
[Download RAW message or body]

Hello, Greg, all,

My fault here was indeed not stating that a Red Hat's product is
vulnerable (thus, a CVE was assigned), but stating that only Linux
kernel is vulnerable (while indeed it was fixed a long ago). Please,
accept my apologies.

> I hate to ask, but why are you getting CVEs for bugs fixed over a year
> ago, and are already in all stable kernel releases a year ago?  Why does
> it matter?

I'm afraid, you won't like the answer, but in a short word, the Red Hat
is a CNA (CVE Numbering Authority) for Red Hat's products and the Linux
kernel and we've decided to assign this CVE.

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer
[prev in list] [next in list] [prev in thread] [next in thread]