Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: information about reporting Linux kernel security bugs is outdated #4714

Open
xairy opened this issue Apr 24, 2024 · 0 comments · May be fixed by #5461 or #5502
Open

docs: information about reporting Linux kernel security bugs is outdated #4714

xairy opened this issue Apr 24, 2024 · 0 comments · May be fixed by #5461 or #5502
Labels

Comments

@xairy
Copy link
Collaborator

xairy commented Apr 24, 2024

The Reporting Linux kernel bugs page is outdated: CVEs are no longer assigned by MITRE but by the Linux CNA.

@xairy xairy added the bug label Apr 24, 2024
novitoll added a commit to novitoll/syzkaller that referenced this issue Nov 4, 2024
Updated the documentation with:

* vulnerability definition and kernel security bug description
* reporting security procedure per https://docs.kernel.org/process/security-bugs.html
* CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html,
	and recent Greg K-H video from the recent conference,
	https://www.youtube.com/watch?v=KumwRn1BA6s
* reporting to linux-distros per https://oss-security.openwall.org/wiki/mailing-lists/distros

Removed minor, major security bug classifications as now, CVE is assigned to
the issue even it triggers WARN_ON with panic_on_warn enabled and
reboots the system.

Since there are 4 different parties with own interests:
- [email protected] wants to release the fix ASAP, but can be
  postponed if the reporter asks an embargo period to let linux-distros
  update their kernels.

- [email protected] is included in the mailing list, once
  the fix is developed, but NOT merged in the stable tree

Once the fix lands on the stable tree, [email protected] should not be
mentioned in the conversation as they don't have any further interests.

- [email protected] is notified once the fix is publicly
  merged to the stable tree

- [email protected] is notified if the CVE should be assigned to the fix
  which is publicly merged to the stable tree.

Fixes: google#4714
@novitoll novitoll linked a pull request Nov 4, 2024 that will close this issue
novitoll added a commit to novitoll/syzkaller that referenced this issue Nov 5, 2024
Updated the documentation with:

* vulnerability definition and kernel security bug description
* reporting security procedure per https://docs.kernel.org/process/security-bugs.html
* CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html,
	and recent Greg K-H video from the recent conference,
	https://www.youtube.com/watch?v=KumwRn1BA6s
* reporting to linux-distros per https://oss-security.openwall.org/wiki/mailing-lists/distros

Removed minor, major security bug classifications as now, CVE is assigned to
the issue even it triggers WARN_ON with panic_on_warn enabled and
reboots the system.

Since there are 4 different parties with own interests:
- [email protected] wants to release the fix ASAP, but can be
  postponed if the reporter asks an embargo period to let linux-distros
  update their kernels.

- [email protected] is included in the mailing list, once
  the fix is developed, but NOT merged in the stable tree

Once the fix lands on the stable tree, [email protected] should not be
mentioned in the conversation as they don't have any further interests.

- [email protected] is notified once the fix is publicly
  merged to the stable tree

- [email protected] is notified if the CVE should be assigned to the fix
  which is publicly merged to the stable tree.

reporting_kernel_bugs.png generation
====================================
- Go to https://draw.io
- Click "Open the existing diagram" -> "Upload" tab
- Browse to the repository's docs/linux/reporting_kernel_bugs.drawio
- Make necessary changes
- Click "Export as" -> PNG -> disable "Include a copy of my diagram"
	as we've already included the draw.io scheme as the separate
	file

Fixes: google#4714
novitoll added a commit to novitoll/syzkaller that referenced this issue Nov 5, 2024
Updated the documentation with:

* vulnerability definition and kernel security bug description
* reporting security procedure per https://docs.kernel.org/process/security-bugs.html
* CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html,
	and recent Greg K-H video from the recent conference,
	https://www.youtube.com/watch?v=KumwRn1BA6s
* reporting to linux-distros per https://oss-security.openwall.org/wiki/mailing-lists/distros

Removed minor, major security bug classifications as now, CVE is assigned to
the issue even it triggers WARN_ON with panic_on_warn enabled and
reboots the system.

Since there are 4 different parties with own interests:
- [email protected] wants to release the fix ASAP, but can be
  postponed if the reporter asks an embargo period to let linux-distros
  update their kernels.

- [email protected] is included in the mailing list, once
  the fix is developed, but NOT merged in the stable tree

Once the fix lands on the stable tree, [email protected] should not be
mentioned in the conversation as they don't have any further interests.

- [email protected] is notified once the fix is publicly
  merged to the stable tree

- [email protected] is notified if the CVE should be assigned to the fix
  which is publicly merged to the stable tree.

reporting_kernel_bugs.png generation
====================================
- Go to https://draw.io
- Click "Open the existing diagram" -> "Upload" tab
- Browse to the repository's docs/linux/reporting_kernel_bugs.drawio
- Make necessary changes
- Click "Export as" -> PNG -> disable "Include a copy of my diagram"
	as we've already included the draw.io scheme as the separate
	file
- Press "Ctrl-Shift-S" or "Cmd-Shift-S" on macOS to save ".drawio"
  format (draw.io scheme)

Fixes: google#4714
novitoll added a commit to novitoll/syzkaller that referenced this issue Nov 6, 2024
Updated the documentation with:

* vulnerability definition and kernel security bug description
* reporting security procedure per https://docs.kernel.org/process/security-bugs.html
* CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html,
	and recent Greg K-H video from the recent conference,
	https://www.youtube.com/watch?v=KumwRn1BA6s
* reporting to linux-distros per https://oss-security.openwall.org/wiki/mailing-lists/distros

Removed minor, major security bug classifications as now, CVE is assigned to
the issue even it triggers WARN_ON with panic_on_warn enabled and
reboots the system.

Since there are 4 different parties with own interests:
- [email protected] wants to release the fix ASAP, but can be
  postponed if the reporter asks an embargo period to let linux-distros
  update their kernels.

- [email protected] is included in the mailing list, once
  the fix is developed, but NOT merged in the stable tree

Once the fix lands on the stable tree, [email protected] should not be
mentioned in the conversation as they don't have any further interests.

- [email protected] is notified once the fix is publicly
  merged to the stable tree

- [email protected] is notified if the CVE should be assigned to the fix
  which is publicly merged to the stable tree.

Fixes: google#4714
novitoll added a commit to novitoll/syzkaller that referenced this issue Nov 11, 2024
Updated the documentation with:

* vulnerability definition and kernel security bug description
* reporting security procedure per https://docs.kernel.org/process/security-bugs.html
* CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html,
	and recent Greg K-H video from the recent conference,
	https://www.youtube.com/watch?v=KumwRn1BA6s
* reporting to linux-distros per https://oss-security.openwall.org/wiki/mailing-lists/distros

Removed minor, major security bug classifications as now, CVE is assigned to
the issue even it triggers WARN_ON with panic_on_warn enabled and
reboots the system.

Since there are 4 different parties with own interests:
- [email protected] wants to release the fix ASAP, but can be
  postponed if the reporter asks an embargo period to let linux-distros
  update their kernels.

- [email protected] is included in the mailing list, once
  the fix is developed, but NOT merged in the stable tree

Once the fix lands on the stable tree, [email protected] should not be
mentioned in the conversation as they don't have any further interests.

- [email protected] is notified once the fix is publicly
  merged to the stable tree

- [email protected] is notified if the CVE should be assigned to the fix
  which is publicly merged to the stable tree.

Fixes: google#4714
novitoll added a commit to novitoll/syzkaller that referenced this issue Nov 11, 2024
Updated the documentation with:

* vulnerability definition and kernel security bug description
* reporting security procedure per https://docs.kernel.org/process/security-bugs.html
* CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html,
	and recent Greg K-H video from the recent conference,
	https://www.youtube.com/watch?v=KumwRn1BA6s
* reporting to linux-distros per https://oss-security.openwall.org/wiki/mailing-lists/distros

Removed minor, major security bug classifications as now, CVE is assigned to
the issue even it triggers WARN_ON with panic_on_warn enabled and
reboots the system.

Since there are 4 different parties with own interests:
- [email protected] wants to release the fix ASAP, but can be
  postponed if the reporter asks an embargo period to let linux-distros
  update their kernels.

- [email protected] is included in the mailing list, once
  the fix is developed, but NOT merged in the stable tree

Once the fix lands on the stable tree, [email protected] should not be
mentioned in the conversation as they don't have any further interests.

- [email protected] is notified once the fix is publicly
  merged to the stable tree

- [email protected] is notified if the CVE should be assigned to the fix
  which is publicly merged to the stable tree.

Fixes: google#4714
novitoll added a commit to novitoll/syzkaller that referenced this issue Nov 11, 2024
Updated the documentation with:

* vulnerability definition and kernel security bug description
* reporting security procedure per https://docs.kernel.org/process/security-bugs.html
* CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html,
	and recent Greg K-H video from the recent conference,
	https://www.youtube.com/watch?v=KumwRn1BA6s
* reporting to linux-distros per https://oss-security.openwall.org/wiki/mailing-lists/distros

Removed minor, major security bug classifications as now, CVE is assigned to
the issue even it triggers WARN_ON with panic_on_warn enabled and
reboots the system.

Since there are 4 different parties with own interests:
- [email protected] wants to release the fix ASAP, but can be
  postponed if the reporter asks an embargo period to let linux-distros
  update their kernels.

- [email protected] is included in the mailing list, once
  the fix is developed, but NOT merged in the stable tree

Once the fix lands on the stable tree, [email protected] should not be
mentioned in the conversation as they don't have any further interests.

- [email protected] is notified once the fix is publicly
  merged to the stable tree

- [email protected] is notified if the CVE should be assigned to the fix
  which is publicly merged to the stable tree.

Fixes: google#4714
novitoll added a commit to novitoll/syzkaller that referenced this issue Nov 11, 2024
Updated the documentation with:

* vulnerability definition and kernel security bug description
* reporting security procedure per https://docs.kernel.org/process/security-bugs.html
* CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html,
	and recent Greg K-H video from the recent conference,
	https://www.youtube.com/watch?v=KumwRn1BA6s
* reporting to linux-distros per https://oss-security.openwall.org/wiki/mailing-lists/distros

Removed minor, major security bug classifications as now, CVE is assigned to
the issue even it triggers WARN_ON with panic_on_warn enabled and
reboots the system.

Since there are 4 different parties with own interests:
- [email protected] wants to release the fix ASAP, but can be
  postponed if the reporter asks an embargo period to let linux-distros
  update their kernels.

- [email protected] is included in the mailing list, once
  the fix is developed, but NOT merged in the stable tree

Once the fix lands on the stable tree, [email protected] should not be
mentioned in the conversation as they don't have any further interests.

- [email protected] is notified once the fix is publicly
  merged to the stable tree

- [email protected] is notified if the CVE should be assigned to the fix
  which is publicly merged to the stable tree.

reporting_kernel_bugs.png generation
====================================
- Go to https://draw.io
- Click "Open the existing diagram" -> "Upload" tab
- Browse to the repository's docs/linux/reporting_kernel_bugs.drawio
- Make necessary changes
- Click "Export as" -> PNG -> disable "Include a copy of my diagram"
	as we've already included the draw.io scheme as the separate
	file
- Press "Ctrl-Shift-S" or "Cmd-Shift-S" on macOS to save ".drawio"
  format (draw.io scheme)

Fixes: google#4714
novitoll added a commit to novitoll/syzkaller that referenced this issue Nov 11, 2024
Updated the documentation with:

* vulnerability definition and kernel security bug description
* reporting security procedure per https://docs.kernel.org/process/security-bugs.html
* CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html,
	and recent Greg K-H video from the recent conference,
	https://www.youtube.com/watch?v=KumwRn1BA6s
* reporting to linux-distros per https://oss-security.openwall.org/wiki/mailing-lists/distros

Removed minor, major security bug classifications as now, CVE is assigned to
the issue even it triggers WARN_ON with panic_on_warn enabled and
reboots the system.

Since there are 4 different parties with own interests:
- [email protected] wants to release the fix ASAP, but can be
  postponed if the reporter asks an embargo period to let linux-distros
  update their kernels.

- [email protected] is included in the mailing list, once
  the fix is developed, but NOT merged in the stable tree

Once the fix lands on the stable tree, [email protected] should not be
mentioned in the conversation as they don't have any further interests.

- [email protected] is notified once the fix is publicly
  merged to the stable tree

- [email protected] is notified if the CVE should be assigned to the fix
  which is publicly merged to the stable tree.

reporting_kernel_bugs.png generation
====================================
- Go to https://draw.io
- Click "Open the existing diagram" -> "Upload" tab
- Browse to the repository's docs/linux/reporting_kernel_bugs.drawio
- Make necessary changes
- Click "Export as" -> PNG -> disable "Include a copy of my diagram"
	as we've already included the draw.io scheme as the separate
	file
- Press "Ctrl-Shift-S" or "Cmd-Shift-S" on macOS to save ".drawio"
  format (draw.io scheme)

Fixes: google#4714
novitoll added a commit to novitoll/syzkaller that referenced this issue Nov 11, 2024
Updated the documentation with:

* vulnerability definition and kernel security bug description
* reporting security procedure per https://docs.kernel.org/process/security-bugs.html
* CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html,
	and recent Greg K-H video from the recent conference,
	https://www.youtube.com/watch?v=KumwRn1BA6s
* reporting to linux-distros per https://oss-security.openwall.org/wiki/mailing-lists/distros

Removed minor, major security bug classifications as now, CVE is assigned to
the issue even it triggers WARN_ON with panic_on_warn enabled and
reboots the system.

Since there are 4 different parties with own interests:
- [email protected] wants to release the fix ASAP, but can be
  postponed if the reporter asks an embargo period to let linux-distros
  update their kernels.

- [email protected] is included in the mailing list, once
  the fix is developed, but NOT merged in the stable tree

Once the fix lands on the stable tree, [email protected] should not be
mentioned in the conversation as they don't have any further interests.

- [email protected] is notified once the fix is publicly
  merged to the stable tree

- [email protected] is notified if the CVE should be assigned to the fix
  which is publicly merged to the stable tree.

reporting_kernel_bugs.png generation
====================================
- Go to https://draw.io
- Click "Open the existing diagram" -> "Upload" tab
- Browse to the repository's docs/linux/reporting_kernel_bugs.drawio
- Make necessary changes
- Click "Export as" -> PNG -> disable "Include a copy of my diagram"
	as we've already included the draw.io scheme as the separate
	file
- Press "Ctrl-Shift-S" or "Cmd-Shift-S" on macOS to save ".drawio"
  format (draw.io scheme)

Fixes: google#4714
novitoll added a commit to novitoll/syzkaller that referenced this issue Nov 11, 2024
Updated the documentation with:

* vulnerability definition and kernel security bug description
* reporting security procedure per https://docs.kernel.org/process/security-bugs.html
* CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html
* and recent Greg K-H video from the recent conference - https://www.youtube.com/watch?v=KumwRn1BA6s

Removed minor, major security bug classifications as now,
CVE is assigned to the issue even it triggers WARN_ON with panic_on_warn
enabled and reboots the system.

The updated reporting process strictly follows the [email protected]
guideline.

Fixes: google#4714
novitoll added a commit to novitoll/syzkaller that referenced this issue Nov 11, 2024
Updated the documentation with:

* vulnerability definition and kernel security bug description
* reporting security procedure per https://docs.kernel.org/process/security-bugs.html
* CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html
* and recent Greg K-H video from the recent conference - https://www.youtube.com/watch?v=KumwRn1BA6s

Removed minor, major security bug classifications as now,
CVE is assigned to the issue even it triggers WARN_ON with panic_on_warn
enabled and reboots the system.

The updated reporting process strictly follows the [email protected]
guideline.

Fixes: google#4714
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
1 participant