docs: information about reporting Linux kernel security bugs is outdated #4714
Labels
Comments
novitoll
added a commit
to novitoll/syzkaller
that referenced
this issue
Nov 4, 2024
Updated the documentation with: * vulnerability definition and kernel security bug description * reporting security procedure per https://docs.kernel.org/process/security-bugs.html * CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html, and recent Greg K-H video from the recent conference, https://www.youtube.com/watch?v=KumwRn1BA6s * reporting to linux-distros per https://oss-security.openwall.org/wiki/mailing-lists/distros Removed minor, major security bug classifications as now, CVE is assigned to the issue even it triggers WARN_ON with panic_on_warn enabled and reboots the system. Since there are 4 different parties with own interests: - [email protected] wants to release the fix ASAP, but can be postponed if the reporter asks an embargo period to let linux-distros update their kernels. - [email protected] is included in the mailing list, once the fix is developed, but NOT merged in the stable tree Once the fix lands on the stable tree, [email protected] should not be mentioned in the conversation as they don't have any further interests. - [email protected] is notified once the fix is publicly merged to the stable tree - [email protected] is notified if the CVE should be assigned to the fix which is publicly merged to the stable tree. Fixes: google#4714
novitoll
added a commit
to novitoll/syzkaller
that referenced
this issue
Nov 5, 2024
Updated the documentation with: * vulnerability definition and kernel security bug description * reporting security procedure per https://docs.kernel.org/process/security-bugs.html * CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html, and recent Greg K-H video from the recent conference, https://www.youtube.com/watch?v=KumwRn1BA6s * reporting to linux-distros per https://oss-security.openwall.org/wiki/mailing-lists/distros Removed minor, major security bug classifications as now, CVE is assigned to the issue even it triggers WARN_ON with panic_on_warn enabled and reboots the system. Since there are 4 different parties with own interests: - [email protected] wants to release the fix ASAP, but can be postponed if the reporter asks an embargo period to let linux-distros update their kernels. - [email protected] is included in the mailing list, once the fix is developed, but NOT merged in the stable tree Once the fix lands on the stable tree, [email protected] should not be mentioned in the conversation as they don't have any further interests. - [email protected] is notified once the fix is publicly merged to the stable tree - [email protected] is notified if the CVE should be assigned to the fix which is publicly merged to the stable tree. reporting_kernel_bugs.png generation ==================================== - Go to https://draw.io - Click "Open the existing diagram" -> "Upload" tab - Browse to the repository's docs/linux/reporting_kernel_bugs.drawio - Make necessary changes - Click "Export as" -> PNG -> disable "Include a copy of my diagram" as we've already included the draw.io scheme as the separate file Fixes: google#4714
novitoll
added a commit
to novitoll/syzkaller
that referenced
this issue
Nov 5, 2024
Updated the documentation with: * vulnerability definition and kernel security bug description * reporting security procedure per https://docs.kernel.org/process/security-bugs.html * CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html, and recent Greg K-H video from the recent conference, https://www.youtube.com/watch?v=KumwRn1BA6s * reporting to linux-distros per https://oss-security.openwall.org/wiki/mailing-lists/distros Removed minor, major security bug classifications as now, CVE is assigned to the issue even it triggers WARN_ON with panic_on_warn enabled and reboots the system. Since there are 4 different parties with own interests: - [email protected] wants to release the fix ASAP, but can be postponed if the reporter asks an embargo period to let linux-distros update their kernels. - [email protected] is included in the mailing list, once the fix is developed, but NOT merged in the stable tree Once the fix lands on the stable tree, [email protected] should not be mentioned in the conversation as they don't have any further interests. - [email protected] is notified once the fix is publicly merged to the stable tree - [email protected] is notified if the CVE should be assigned to the fix which is publicly merged to the stable tree. reporting_kernel_bugs.png generation ==================================== - Go to https://draw.io - Click "Open the existing diagram" -> "Upload" tab - Browse to the repository's docs/linux/reporting_kernel_bugs.drawio - Make necessary changes - Click "Export as" -> PNG -> disable "Include a copy of my diagram" as we've already included the draw.io scheme as the separate file - Press "Ctrl-Shift-S" or "Cmd-Shift-S" on macOS to save ".drawio" format (draw.io scheme) Fixes: google#4714
novitoll
added a commit
to novitoll/syzkaller
that referenced
this issue
Nov 6, 2024
Updated the documentation with: * vulnerability definition and kernel security bug description * reporting security procedure per https://docs.kernel.org/process/security-bugs.html * CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html, and recent Greg K-H video from the recent conference, https://www.youtube.com/watch?v=KumwRn1BA6s * reporting to linux-distros per https://oss-security.openwall.org/wiki/mailing-lists/distros Removed minor, major security bug classifications as now, CVE is assigned to the issue even it triggers WARN_ON with panic_on_warn enabled and reboots the system. Since there are 4 different parties with own interests: - [email protected] wants to release the fix ASAP, but can be postponed if the reporter asks an embargo period to let linux-distros update their kernels. - [email protected] is included in the mailing list, once the fix is developed, but NOT merged in the stable tree Once the fix lands on the stable tree, [email protected] should not be mentioned in the conversation as they don't have any further interests. - [email protected] is notified once the fix is publicly merged to the stable tree - [email protected] is notified if the CVE should be assigned to the fix which is publicly merged to the stable tree. Fixes: google#4714
novitoll
added a commit
to novitoll/syzkaller
that referenced
this issue
Nov 11, 2024
Updated the documentation with: * vulnerability definition and kernel security bug description * reporting security procedure per https://docs.kernel.org/process/security-bugs.html * CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html, and recent Greg K-H video from the recent conference, https://www.youtube.com/watch?v=KumwRn1BA6s * reporting to linux-distros per https://oss-security.openwall.org/wiki/mailing-lists/distros Removed minor, major security bug classifications as now, CVE is assigned to the issue even it triggers WARN_ON with panic_on_warn enabled and reboots the system. Since there are 4 different parties with own interests: - [email protected] wants to release the fix ASAP, but can be postponed if the reporter asks an embargo period to let linux-distros update their kernels. - [email protected] is included in the mailing list, once the fix is developed, but NOT merged in the stable tree Once the fix lands on the stable tree, [email protected] should not be mentioned in the conversation as they don't have any further interests. - [email protected] is notified once the fix is publicly merged to the stable tree - [email protected] is notified if the CVE should be assigned to the fix which is publicly merged to the stable tree. Fixes: google#4714
novitoll
added a commit
to novitoll/syzkaller
that referenced
this issue
Nov 11, 2024
Updated the documentation with: * vulnerability definition and kernel security bug description * reporting security procedure per https://docs.kernel.org/process/security-bugs.html * CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html, and recent Greg K-H video from the recent conference, https://www.youtube.com/watch?v=KumwRn1BA6s * reporting to linux-distros per https://oss-security.openwall.org/wiki/mailing-lists/distros Removed minor, major security bug classifications as now, CVE is assigned to the issue even it triggers WARN_ON with panic_on_warn enabled and reboots the system. Since there are 4 different parties with own interests: - [email protected] wants to release the fix ASAP, but can be postponed if the reporter asks an embargo period to let linux-distros update their kernels. - [email protected] is included in the mailing list, once the fix is developed, but NOT merged in the stable tree Once the fix lands on the stable tree, [email protected] should not be mentioned in the conversation as they don't have any further interests. - [email protected] is notified once the fix is publicly merged to the stable tree - [email protected] is notified if the CVE should be assigned to the fix which is publicly merged to the stable tree. Fixes: google#4714
novitoll
added a commit
to novitoll/syzkaller
that referenced
this issue
Nov 11, 2024
Updated the documentation with: * vulnerability definition and kernel security bug description * reporting security procedure per https://docs.kernel.org/process/security-bugs.html * CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html, and recent Greg K-H video from the recent conference, https://www.youtube.com/watch?v=KumwRn1BA6s * reporting to linux-distros per https://oss-security.openwall.org/wiki/mailing-lists/distros Removed minor, major security bug classifications as now, CVE is assigned to the issue even it triggers WARN_ON with panic_on_warn enabled and reboots the system. Since there are 4 different parties with own interests: - [email protected] wants to release the fix ASAP, but can be postponed if the reporter asks an embargo period to let linux-distros update their kernels. - [email protected] is included in the mailing list, once the fix is developed, but NOT merged in the stable tree Once the fix lands on the stable tree, [email protected] should not be mentioned in the conversation as they don't have any further interests. - [email protected] is notified once the fix is publicly merged to the stable tree - [email protected] is notified if the CVE should be assigned to the fix which is publicly merged to the stable tree. Fixes: google#4714
novitoll
added a commit
to novitoll/syzkaller
that referenced
this issue
Nov 11, 2024
Updated the documentation with: * vulnerability definition and kernel security bug description * reporting security procedure per https://docs.kernel.org/process/security-bugs.html * CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html, and recent Greg K-H video from the recent conference, https://www.youtube.com/watch?v=KumwRn1BA6s * reporting to linux-distros per https://oss-security.openwall.org/wiki/mailing-lists/distros Removed minor, major security bug classifications as now, CVE is assigned to the issue even it triggers WARN_ON with panic_on_warn enabled and reboots the system. Since there are 4 different parties with own interests: - [email protected] wants to release the fix ASAP, but can be postponed if the reporter asks an embargo period to let linux-distros update their kernels. - [email protected] is included in the mailing list, once the fix is developed, but NOT merged in the stable tree Once the fix lands on the stable tree, [email protected] should not be mentioned in the conversation as they don't have any further interests. - [email protected] is notified once the fix is publicly merged to the stable tree - [email protected] is notified if the CVE should be assigned to the fix which is publicly merged to the stable tree. reporting_kernel_bugs.png generation ==================================== - Go to https://draw.io - Click "Open the existing diagram" -> "Upload" tab - Browse to the repository's docs/linux/reporting_kernel_bugs.drawio - Make necessary changes - Click "Export as" -> PNG -> disable "Include a copy of my diagram" as we've already included the draw.io scheme as the separate file - Press "Ctrl-Shift-S" or "Cmd-Shift-S" on macOS to save ".drawio" format (draw.io scheme) Fixes: google#4714
novitoll
added a commit
to novitoll/syzkaller
that referenced
this issue
Nov 11, 2024
Updated the documentation with: * vulnerability definition and kernel security bug description * reporting security procedure per https://docs.kernel.org/process/security-bugs.html * CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html, and recent Greg K-H video from the recent conference, https://www.youtube.com/watch?v=KumwRn1BA6s * reporting to linux-distros per https://oss-security.openwall.org/wiki/mailing-lists/distros Removed minor, major security bug classifications as now, CVE is assigned to the issue even it triggers WARN_ON with panic_on_warn enabled and reboots the system. Since there are 4 different parties with own interests: - [email protected] wants to release the fix ASAP, but can be postponed if the reporter asks an embargo period to let linux-distros update their kernels. - [email protected] is included in the mailing list, once the fix is developed, but NOT merged in the stable tree Once the fix lands on the stable tree, [email protected] should not be mentioned in the conversation as they don't have any further interests. - [email protected] is notified once the fix is publicly merged to the stable tree - [email protected] is notified if the CVE should be assigned to the fix which is publicly merged to the stable tree. reporting_kernel_bugs.png generation ==================================== - Go to https://draw.io - Click "Open the existing diagram" -> "Upload" tab - Browse to the repository's docs/linux/reporting_kernel_bugs.drawio - Make necessary changes - Click "Export as" -> PNG -> disable "Include a copy of my diagram" as we've already included the draw.io scheme as the separate file - Press "Ctrl-Shift-S" or "Cmd-Shift-S" on macOS to save ".drawio" format (draw.io scheme) Fixes: google#4714
novitoll
added a commit
to novitoll/syzkaller
that referenced
this issue
Nov 11, 2024
Updated the documentation with: * vulnerability definition and kernel security bug description * reporting security procedure per https://docs.kernel.org/process/security-bugs.html * CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html, and recent Greg K-H video from the recent conference, https://www.youtube.com/watch?v=KumwRn1BA6s * reporting to linux-distros per https://oss-security.openwall.org/wiki/mailing-lists/distros Removed minor, major security bug classifications as now, CVE is assigned to the issue even it triggers WARN_ON with panic_on_warn enabled and reboots the system. Since there are 4 different parties with own interests: - [email protected] wants to release the fix ASAP, but can be postponed if the reporter asks an embargo period to let linux-distros update their kernels. - [email protected] is included in the mailing list, once the fix is developed, but NOT merged in the stable tree Once the fix lands on the stable tree, [email protected] should not be mentioned in the conversation as they don't have any further interests. - [email protected] is notified once the fix is publicly merged to the stable tree - [email protected] is notified if the CVE should be assigned to the fix which is publicly merged to the stable tree. reporting_kernel_bugs.png generation ==================================== - Go to https://draw.io - Click "Open the existing diagram" -> "Upload" tab - Browse to the repository's docs/linux/reporting_kernel_bugs.drawio - Make necessary changes - Click "Export as" -> PNG -> disable "Include a copy of my diagram" as we've already included the draw.io scheme as the separate file - Press "Ctrl-Shift-S" or "Cmd-Shift-S" on macOS to save ".drawio" format (draw.io scheme) Fixes: google#4714
novitoll
added a commit
to novitoll/syzkaller
that referenced
this issue
Nov 11, 2024
Updated the documentation with: * vulnerability definition and kernel security bug description * reporting security procedure per https://docs.kernel.org/process/security-bugs.html * CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html * and recent Greg K-H video from the recent conference - https://www.youtube.com/watch?v=KumwRn1BA6s Removed minor, major security bug classifications as now, CVE is assigned to the issue even it triggers WARN_ON with panic_on_warn enabled and reboots the system. The updated reporting process strictly follows the [email protected] guideline. Fixes: google#4714
novitoll
added a commit
to novitoll/syzkaller
that referenced
this issue
Nov 11, 2024
Updated the documentation with: * vulnerability definition and kernel security bug description * reporting security procedure per https://docs.kernel.org/process/security-bugs.html * CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html * and recent Greg K-H video from the recent conference - https://www.youtube.com/watch?v=KumwRn1BA6s Removed minor, major security bug classifications as now, CVE is assigned to the issue even it triggers WARN_ON with panic_on_warn enabled and reboots the system. The updated reporting process strictly follows the [email protected] guideline. Fixes: google#4714
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The Reporting Linux kernel bugs page is outdated: CVEs are no longer assigned by MITRE but by the Linux CNA.
The text was updated successfully, but these errors were encountered: