[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
|
|
Subscribe / Log in / New account

What to do about CVE numbers

What to do about CVE numbers

Posted Oct 10, 2019 14:19 UTC (Thu) by msmeissn (subscriber, #13641)
Parent article: What to do about CVE numbers

Some comments:

- Spectre variant 1 / single CVE

The Spectre 1 CVE covers actually problem of the CPU, and not the kernel. The kernel has mitigations for it.

I would consider Spectre 1 even more a "bugclass" (like "format string exploit"), so every mitigating fix would need to get its own CVE (which now would be 50-100 or more for Spectre v1 alone).

Same goes for the other Spectre flavor CVEs, like Bounds Check Bypass Store ...

- Giving government bodies like Mitre ahead knowledge of CVE.

For allocation of a CVE it is not necessary to hand out any information, depending on the CNA. Mitre as the Root CNA , or any CNA able to allocate Kernel issues could hand out a blank CVE without getting details of the issue.

- Misallocation by Mitre

If there would be a specific Linux kernel CNA, operated by more knowledgeable people, these could take decisions on what issues get what CVEs.
So far Mitre does it best effort, and as GregKH states does "too much" occasionaly.
Mitre for instance blocks any CVE requests for drivers/staging/ already.

This would need at least a fulltime position, or even more.

to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds