~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/Documentation/process/cve.rst

Version: ~ [ linux-6.11.5 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.58 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.114 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.169 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.228 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.284 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.322 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /Documentation/process/cve.rst (Version linux-6.11.5) and /Documentation/process/cve.rst (Version linux-5.5.19)


  1 ====                                              
  2 CVEs                                              
  3 ====                                              
  4                                                   
  5 Common Vulnerabilities and Exposure (CVE®) nu    
  6 unambiguous way to identify, define, and catal    
  7 security vulnerabilities.  Over time, their us    
  8 regards to the kernel project, and CVE numbers    
  9 in inappropriate ways and for inappropriate re    
 10 the kernel development community has tended to    
 11 combination of continuing pressure to assign C    
 12 security identifiers, and ongoing abuses by in    
 13 outside of the kernel community has made it cl    
 14 community should have control over those assig    
 15                                                   
 16 The Linux kernel developer team does have the     
 17 potential Linux kernel security issues.  This     
 18 of the :doc:`normal Linux kernel security bug     
 19 process<../process/security-bugs>`.               
 20                                                   
 21 A list of all assigned CVEs for the Linux kern    
 22 archives of the linux-cve mailing list, as see    
 23 https://lore.kernel.org/linux-cve-announce/.      
 24 assigned CVEs, please `subscribe                  
 25 <https://subspace.kernel.org/subscribing.html>    
 26                                                   
 27 Process                                           
 28 =======                                           
 29                                                   
 30 As part of the normal stable release process,     
 31 potentially security issues are identified by     
 32 for CVE number assignments and have CVE number    
 33 to them.  These assignments are published on t    
 34 mailing list as announcements on a frequent ba    
 35                                                   
 36 Note, due to the layer at which the Linux kern    
 37 any bug might be exploitable to compromise the    
 38 but the possibility of exploitation is often n    
 39 fixed.  Because of this, the CVE assignment te    
 40 assign CVE numbers to any bugfix that they ide    
 41 explains the seemingly large number of CVEs th    
 42 kernel team.                                      
 43                                                   
 44 If the CVE assignment team misses a specific f    
 45 should have a CVE assigned to it, please email<    
 46 and the team there will work with you on it.      
 47 security issues should be sent to this alias,     
 48 of CVEs for fixes that are already in released    
 49 feel you have found an unfixed security issue,    
 50 :doc:`normal Linux kernel security bug reporti    
 51 process<../process/security-bugs>`.               
 52                                                   
 53 No CVEs will be automatically assigned for unf    
 54 the Linux kernel; assignment will only automat    
 55 is available and applied to a stable kernel tr    
 56 that way by the git commit id of the original     
 57 have a CVE assigned before an issue is resolve    
 58 contact the kernel CVE assignment team at <cve@    
 59 identifier assigned from their batch of reserv    
 60                                                   
 61 No CVEs will be assigned for any issue found i    
 62 that is not currently being actively supported    
 63 team.  A list of the currently supported kerne    
 64 https://kernel.org/releases.html                  
 65                                                   
 66 Disputes of assigned CVEs                         
 67 =========================                         
 68                                                   
 69 The authority to dispute or modify an assigned    
 70 change lies solely with the maintainers of the    
 71 affected.  This principle ensures a high degre    
 72 accountability in vulnerability reporting.  On    
 73 deep expertise and intimate knowledge of the s    
 74 assess the validity and scope of a reported vu    
 75 its appropriate CVE designation.  Any attempt     
 76 outside of this designated authority could lea    
 77 reporting, and ultimately, compromised systems    
 78                                                   
 79 Invalid CVEs                                      
 80 ============                                      
 81                                                   
 82 If a security issue is found in a Linux kernel    
 83 a Linux distribution due to the changes that h    
 84 distribution, or due to the distribution suppo    
 85 that is no longer one of the kernel.org suppor    
 86 can not be assigned by the Linux kernel CVE te    
 87 from that Linux distribution itself.              
 88                                                   
 89 Any CVE that is assigned against the Linux ker    
 90 supported kernel version, by any group other t    
 91 CVE team should not be treated as a valid CVE.    
 92 kernel CVE assignment team at <cve@kernel.org>     
 93 invalidate such entries through the CNA remedi    
 94                                                   
 95 Applicability of specific CVEs                    
 96 ==============================                    
 97                                                   
 98 As the Linux kernel can be used in many differ    
 99 different ways of accessing it by external use    
100 the applicability of any specific CVE is up to    
101 determine, it is not up to the CVE assignment     
102 contact us to attempt to determine the applica    
103 CVE.                                              
104                                                   
105 Also, as the source tree is so large, and any     
106 small subset of the source tree, any users of     
107 large numbers of assigned CVEs are not relevan    
108                                                   
109 In short, we do not know your use case, and we    
110 of the kernel that you use, so there is no way    
111 specific CVE is relevant for your system.         
112                                                   
113 As always, it is best to take all released ker    
114 tested together in a unified whole by many com    
115 individual cherry-picked changes.  Also note t    
116 solution to the overall problem is not found i    
117 the sum of many fixes on top of each other.  I    
118 assigned to all fixes for all issues, but some    
119 notice fixes, therefore assume that some chang    
120 might be relevant to take.                        
121                                                   
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php