[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request? buffer overflow in CIFS in 2.6.*
From: dann frazier <dannf () debian ! org>
Date: 2009-04-29 5:28:58
Message-ID: 20090429052858.GD11901 () lackof ! org
[Download RAW message or body]
On Tue, Apr 28, 2009 at 08:27:19PM -0500, Steven French wrote:
> Jeff (Layton) was working an additional fix (updating a proposed fix from
> Suresh J.). We will review it together tomorrow.
Cool, thanks Steve.
Also, I now notice that CVE-2009-1439 was assigned for
the nativeFileSystem fixes, so looks like the status is:
CVE-2009-1439:
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.29.y.git;a=commitdiff;h=15bd8021d870d2c4fbf8c16578d72d03cfddd3a7
http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commitdiff;h=f083def68f84b04fe3f97312498911afce79609e
CVE-2009-NOT-YET-ASSIGNED:
http://git.kernel.org/linus/27b87fe52baba0a55e9723030e76fce94fabcea4
http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=7b0c8fcff47a885743125dd843db64af41af5a61
http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=968460ebd8006d55661dec0fb86712b40d71c413
+ some others in progress
Does that look accurate?
>
>
> Steve French
> Senior Software Engineer
> Linux Technology Center - IBM Austin
> phone: 512-838-2294
> email: sfrench at-sign us dot ibm dot com
>
>
>
> dann frazier <dannf@debian.org>
> 04/28/2009 08:12 PM
>
> To
> oss-security@lists.openwall.com
> cc
> security@kernel.org, Steven French/Austin/IBM@IBMUS
> Subject
> Re: [oss-security] CVE request? buffer overflow in CIFS in 2.6.*
>
>
>
>
>
>
> On Sat, Apr 25, 2009 at 05:40:20PM +0800, Eugene Teo wrote:
> > Hi Steve,
> >
> > > One approach might be to "pre-tag" this whole set of changes with a
> single
> > > CVE, then when they ultimately get merged into a single kernel version
> or
> > > some other concrete milestone, the "scope" of that CVE ends.
> >
> > I'm fine with this approach. It can actually help to make it easier to
> > manage this set of changes.
>
> To summarize (and make sure I understand), the plan is to create a
> single CVE for a collection of CIFS fixes. So far, this series includes
> the following changesets, but others may be added as well:
>
> http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.29.y.git;a=commitdiff;h=15bd8021d870d2c4fbf8c16578d72d03cfddd3a7
>
> http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commitdiff;h=f083def68f84b04fe3f97312498911afce79609e
>
> http://git.kernel.org/linus/27b87fe52baba0a55e9723030e76fce94fabcea4
> http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=7b0c8fcff47a885743125dd843db64af41af5a61
>
> http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=968460ebd8006d55661dec0fb86712b40d71c413
>
>
> Is that correct? If so, is there an estimate for when this set will be
> deemed complete and a CVE assigned?
>
> I think that if we wait too long to close this, we'll end up with
> distributions releasing updates with only a subset of these
> fixes, which would make this "collection" somewhat difficult to track
> by CVE ID handle. I'm otherwise quite happy with this plan, fwiw.
>
--
dann frazier
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic