[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2023-0122: Linux kernel: Pre-Auth Remote DoS in NVMe
From:       Salvatore Bonaccorso <carnil () debian ! org>
Date:       2023-01-18 8:00:20
Message-ID: Y8enFHfWv5LQ8Whx () eldamar ! lan
[Download RAW message or body]

Hi

On Fri, Jan 13, 2023 at 11:17:00AM +0100, Greg KH wrote:
> On Thu, Jan 12, 2023 at 01:24:38PM -0600, John Helmert III wrote:
> > On Thu, Jan 12, 2023 at 06:10:23PM +0100, Greg KH wrote:
> > > On Thu, Jan 12, 2023 at 04:12:30PM +0200, Tal Lossos wrote:
> > > > Hi all,
> > > > 
> > > > # Description
> > > > A NULL Pointer Dereference bug in nvmet_setup_auth
> > > > (drivers/nvme/target/auth.c) can be triggered remotely to cause a DoS.
> > > > Since the bug occurs in the authentication feature, it can be easily
> > > > triggered by an unauthorized client in the pre-auth stage.
> > > > Versions affected - v6.0-rc1 to v6.0-rc3 (fixed in v6.0-rc4).
> > > 
> > > Meta-comment, why are CVE's being assigned for issues found, and then
> > > fixed, in development kernel releases?  Who assigned this CVE, MITRE or
> > > someone else?
> > 
> > This information used to be available for "reserved" CVEs in the JSON
> > data in [1], but now that that's retired I'm not sure this is made
> > public anywhere.
> > 
> > [1] https://github.com/CVEProject/cvelistV5
> 
> So if we don't know who allocated it, we can't know who to ask to get it
> revoked?

According to the CVE entry now published, the assignerShortName is
"redhat" so the contact to discuss to possibly reject the CVE would be
https://www.cve.org/PartnerInformation/ListofPartners/partner/redhat
(see CNA contact email).

Hope this helps,

Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]