From patchwork Fri Jun 30 07:14:20 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 114602 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp10170183vqr; Fri, 30 Jun 2023 00:34:39 -0700 (PDT) X-Google-Smtp-Source: APBJJlH/epsMdFjpta4CqBNiSff2RZXyxJBmg640IU3L9bWL40SmRxxXc+7p94gB0a92yjPqYysJ X-Received: by 2002:a17:902:e5c5:b0:1b8:17e8:5472 with SMTP id u5-20020a170902e5c500b001b817e85472mr1519604plf.1.1688110478972; Fri, 30 Jun 2023 00:34:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688110478; cv=none; d=google.com; s=arc-20160816; b=bHvJAkvVN2gX6sJkz7czL9WZUgJ2aLKaMJx7ZSkpyvBZ7PiS/17hpiFWkakdWiGYp3 yG8otbwRBBC+TjEtxzPvO1r2H557WD6e2PUX++kOQYesF76O46r44pOgWrOIK/LsOKo6 mx0FdFG2QYk+cnmceF+Q+GYA4XVaRS20GXGUqGq+UDk4WxGcAHHFPV7zRco3H1gFeRcs 9rKgOoHuRqFYUYvgsAPrqehcZDcoNpfwUA8gdvIVlalUc51pMpYSz/5UkA9cmCdqSgDJ fv60Do//O3Oa7T02+71fDk/lwa+PDcIza8TsKMeIUK/MGJyjfAVhefBpR5+uJK09MtHk FNlw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:lines:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=p+kymIPfaQEgQRcqjlvz/dkn/u05DdEwI0jzl7DX4vQ=; fh=Cjuo0ukgzGLrEgUpftwAK+4EaFKQDZTfKTxdCsB7k34=; b=FQ7x5OyziNOMhcwrsp6r9w6RQJQyTSvqsO+VEjVm0weYx9gNgO98bjEgLX+zr39Us5 ag6b12+VRKf5Sa2wYZZkfdjgfRxK4NyKMXFUd7O3c7tsl13ViV4dXKquSM5Zl1NE6BgI r24cT0cdh1KQDikmpf6Hxw/OIhB5Bbcir1TNCj5lbnJNItOGPh0vaIXUXW8XJ9X6ywpQ OQeNxS0LyeXgJCY0W1lTAX4CUn3rDI+PCReG7u1xzXeualknePLwlfCAnfZTLL2ylx1E Yy3EtJfluWdin8eVrtMfBwsAfMoY8RMii/TgTJhHy5SYIvNbYmZqKtixb4PYmRg9vn69 0UEg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=W8zHCNdz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t14-20020a17090340ce00b001b8698d28d4si1344916pld.512.2023.06.30.00.34.25; Fri, 30 Jun 2023 00:34:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=W8zHCNdz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230385AbjF3HOp (ORCPT + 99 others); Fri, 30 Jun 2023 03:14:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45272 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231824AbjF3HOd (ORCPT ); Fri, 30 Jun 2023 03:14:33 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E71B61FE8; Fri, 30 Jun 2023 00:14:30 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 84B12616DA; Fri, 30 Jun 2023 07:14:30 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 65E79C433C8; Fri, 30 Jun 2023 07:14:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1688109269; bh=Zdprq0YUnfUvu95kY3UJZFl9wG79vBDtun14mBUAIa0=; h=From:To:Cc:Subject:Date:From; b=W8zHCNdzi7qka4Xk8ff1PuhnGYV+VIEY0+LJDsmoO8FpA9qProSFWNcoWMyzyw0Ez 6EYxIRjo2tPLjntGJj1eIXR0WlbJs+/VF7YmvnoX6uIgZJqw26r9wKriMVmoAHmMBo 6ZJMsfp/YjKswNzhZu8WI+T/CkaAv+OWlvMu9T4c= From: Greg Kroah-Hartman To: linux-doc@vger.kernel.org Cc: linux-kernel@vger.kernel.org, security@kernel.org, corbet@lwn.net, workflows@vger.kernel.org, Greg Kroah-Hartman Subject: [PATCH 1/2] Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group Date: Fri, 30 Jun 2023 09:14:20 +0200 Message-ID: <2023063020-throat-pantyhose-f110@gregkh> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Lines: 49 X-Developer-Signature: v=1; a=openpgp-sha256; l=2511; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=Zdprq0YUnfUvu95kY3UJZFl9wG79vBDtun14mBUAIa0=; b=owGbwMvMwCRo6H6F97bub03G02pJDCnzGs7U5+Qo8YQdNk73SZmzcNXPLx5PH3Hdcdy7eM/qr Ye+b7ye3xHLwiDIxCArpsjyZRvP0f0VhxS9DG1Pw8xhZQIZwsDFKQATqShgmKe674Nui2HQvfxp EwV/O/5//LKoKZNhweqQxlYBW4n3aauFV/35as2puVfLEAA= X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1770112133533750904?= X-GMAIL-MSGID: =?utf-8?q?1770112133533750904?= Because the linux-distros group forces reporters to release information about reported bugs, and they impose arbitrary deadlines in having those bugs fixed despite not actually being kernel developers, the kernel security team recommends not interacting with them at all as this just causes confusion and the early-release of reported security problems. Signed-off-by: Greg Kroah-Hartman Reviewed-by: Kees Cook --- Documentation/process/security-bugs.rst | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst index 82e29837d589..f12ac2316ce7 100644 --- a/Documentation/process/security-bugs.rst +++ b/Documentation/process/security-bugs.rst @@ -63,20 +63,18 @@ information submitted to the security list and any followup discussions of the report are treated confidentially even after the embargo has been lifted, in perpetuity. -Coordination ------------- +Coordination with other groups +------------------------------ -Fixes for sensitive bugs, such as those that might lead to privilege -escalations, may need to be coordinated with the private - mailing list so that distribution vendors -are well prepared to issue a fixed kernel upon public disclosure of the -upstream fix. Distros will need some time to test the proposed patch and -will generally request at least a few days of embargo, and vendor update -publication prefers to happen Tuesday through Thursday. When appropriate, -the security team can assist with this coordination, or the reporter can -include linux-distros from the start. In this case, remember to prefix -the email Subject line with "[vs]" as described in the linux-distros wiki: - +The kernel security team strongly recommends that reporters of potential +security issues NEVER contact the "linux-distros" mailing list until +AFTER discussing it with the kernel security team. Do not Cc: both +lists at once. You may contact the linux-distros mailing list after a +fix has been agreed on and you fully understand the requirements that +doing so will impose on you and the kernel community. + +The different lists have different goals and the linux-distros rules do +not contribute to actually fixing any potential security problems. CVE assignment -------------- From patchwork Fri Jun 30 07:14:21 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 114600 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp10167778vqr; Fri, 30 Jun 2023 00:29:39 -0700 (PDT) X-Google-Smtp-Source: APBJJlF+6buesrZ1OYY3kl3T0J39oYJtvDcKISEEPRWSuMaULwdJUfj6pHVw004DwIQuFc36KurS X-Received: by 2002:a17:90a:f301:b0:262:dc59:ee64 with SMTP id ca1-20020a17090af30100b00262dc59ee64mr1799527pjb.4.1688110178954; Fri, 30 Jun 2023 00:29:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688110178; cv=none; d=google.com; s=arc-20160816; b=tjgcDgh6GCiUdBhx+bcnZcenpwHlFg2G9+j8e8FKkVxL9vuLKbPM/rx0lXQ9A+BcEV KQuISHqM+/HFHbUnASTX4mc+LbpxYyyPT2vsQXa2DhVbg4408q7F9k4+64hiSuEDpwUi LRy33nU3MetcgB2jet5xt/Qkvo+KnQZn0OBAerRZckz7/4Ee+6zTZf2sVI7QHmrQvPub c6v98aqRxAILcFrr5HkdLzhpoOepvOBfJPaRIW5okYs7Ghb1pjiwC7MCmMupVViKQUi5 jsE5ry90sgQxsK3bi/KcVV/XMkcj3DzDPyAmWtH9cLWTOMfnwvGaycGLTH7GVaKMhPpR eJFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:lines:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=VSFHJV1nSvIdD4dbMVU1VOXizNvCvIEAGVxzKFLfURo=; fh=Cjuo0ukgzGLrEgUpftwAK+4EaFKQDZTfKTxdCsB7k34=; b=CxYiTbURO54AVKncn+Fqae2svKEim9SLIOXRfuzLum42F+r1zcU9UquX4feK0wfRR7 8GF9QqjioHHelN72wY0vbYjuNjXlmKbrI+GIM/BAQQnSgf0oiKWXRZ2iPkCTJPnk44Be r3Bd7h9QhkUJj8AJ41bAI5sp4ypvyz3I+gj//89O3uDXpVDZLCnuD25urPX39gtNqm3b QRvst6mC46ICLiEhEokoB3EhamAtQIPcYm/12j/x/COVrJYusfz9SFB+0C32PygU8sgk 7CtCWwxu+2ctJmkfLsLRbftmq+XRRqK0kif3kuQpyq9MTvxT2e40nUGmWOYsH9HmC7tV wn8w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=hwAyH0cM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id mh9-20020a17090b4ac900b00250d10c6fe7si15961822pjb.67.2023.06.30.00.29.25; Fri, 30 Jun 2023 00:29:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=hwAyH0cM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231176AbjF3HOl (ORCPT + 99 others); Fri, 30 Jun 2023 03:14:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45550 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231617AbjF3HO2 (ORCPT ); Fri, 30 Jun 2023 03:14:28 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E37B61FFA; Fri, 30 Jun 2023 00:14:27 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 7263F616D4; Fri, 30 Jun 2023 07:14:27 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7B117C433C0; Fri, 30 Jun 2023 07:14:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1688109266; bh=PYqCnWF7IAzpYnZdeaPArwQn6IWMC08ErzlI9oBfh4o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hwAyH0cMXXytdhps+l+CZl8PsJ798gPS4pZvhgJ4u+vAZUoMt/ZKxX+EVJ7hSKAqf awolAd9LBvw+CZTVTNA5vb1Jczb+DNMAzV1pafEZ5x6HFBLCi+b2691QrrDta+BDEt 2iJfpqDVugdnI8sZKiU2znS9a98WzWt0oPf81/NY= From: Greg Kroah-Hartman To: linux-doc@vger.kernel.org Cc: linux-kernel@vger.kernel.org, security@kernel.org, corbet@lwn.net, workflows@vger.kernel.org, Greg Kroah-Hartman Subject: [PATCH 2/2] Documentation: security-bugs.rst: clarify CVE handling Date: Fri, 30 Jun 2023 09:14:21 +0200 Message-ID: <2023063022-retouch-kerosene-7e4a@gregkh> X-Mailer: git-send-email 2.41.0 In-Reply-To: <2023063020-throat-pantyhose-f110@gregkh> References: <2023063020-throat-pantyhose-f110@gregkh> MIME-Version: 1.0 Lines: 34 X-Developer-Signature: v=1; a=openpgp-sha256; l=1604; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=PYqCnWF7IAzpYnZdeaPArwQn6IWMC08ErzlI9oBfh4o=; b=owGbwMvMwCRo6H6F97bub03G02pJDCnzGs7J7u3/x9SV/eDmvwqfk3NervP2496welGr/iX11 0/YCqbe6ohlYRBkYpAVU2T5so3n6P6KQ4pehranYeawMoEMYeDiFICJPHJjmKf68PZKBpcOQ9s7 dVWrJWQTkk2StRkWbDdVEYt+WCh0bpussqXr7ap4Bwt2AA== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1770111818891791047?= X-GMAIL-MSGID: =?utf-8?q?1770111818891791047?= The kernel security team does NOT assign CVEs, so document that properly and provide the "if you want one, ask MITRE for it" response that we give on a weekly basis in the document, so we don't have to constantly say it to everyone who asks. Signed-off-by: Greg Kroah-Hartman --- Documentation/process/security-bugs.rst | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst index f12ac2316ce7..8b80e1eb7d79 100644 --- a/Documentation/process/security-bugs.rst +++ b/Documentation/process/security-bugs.rst @@ -79,13 +79,10 @@ not contribute to actually fixing any potential security problems. CVE assignment -------------- -The security team does not normally assign CVEs, nor do we require them -for reports or fixes, as this can needlessly complicate the process and -may delay the bug handling. If a reporter wishes to have a CVE identifier -assigned ahead of public disclosure, they will need to contact the private -linux-distros list, described above. When such a CVE identifier is known -before a patch is provided, it is desirable to mention it in the commit -message if the reporter agrees. +The security team does not assign CVEs, nor do we require them for +reports or fixes, as this can needlessly complicate the process and may +delay the bug handling. If a reporter wishes to have a CVE identifier +assigned, they should contact MITRE directly. Non-disclosure agreements -------------------------