git.ipfire.org Git - thirdparty/kernel/stable-queue.git/blob

   1 From 4fee0915e649bd0cea56dece6d96f8f4643df33c Mon Sep 17 00:00:00 2001
   2 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
   3 Date: Fri, 30 Jun 2023 09:14:20 +0200
   4 Subject: Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group
   5
   6 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
   7
   8 commit 4fee0915e649bd0cea56dece6d96f8f4643df33c upstream.
   9
  10 Because the linux-distros group forces reporters to release information
  11 about reported bugs, and they impose arbitrary deadlines in having those
  12 bugs fixed despite not actually being kernel developers, the kernel
  13 security team recommends not interacting with them at all as this just
  14 causes confusion and the early-release of reported security problems.
  15
  16 Reviewed-by: Kees Cook <keescook@chromium.org>
  17 Link: https://lore.kernel.org/r/2023063020-throat-pantyhose-f110@gregkh
  18 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  19 ---
  20  Documentation/process/security-bugs.rst |   24 +++++++++++-------------
  21  1 file changed, 11 insertions(+), 13 deletions(-)
  22
  23 --- a/Documentation/process/security-bugs.rst
  24 +++ b/Documentation/process/security-bugs.rst
  25 @@ -63,20 +63,18 @@ information submitted to the security li
  26  of the report are treated confidentially even after the embargo has been
  27  lifted, in perpetuity.
  28
  29 -Coordination
  30 -------------
  31 +Coordination with other groups
  32 +------------------------------
  33
  34 -Fixes for sensitive bugs, such as those that might lead to privilege
  35 -escalations, may need to be coordinated with the private
  36 -<linux-distros@vs.openwall.org> mailing list so that distribution vendors
  37 -are well prepared to issue a fixed kernel upon public disclosure of the
  38 -upstream fix. Distros will need some time to test the proposed patch and
  39 -will generally request at least a few days of embargo, and vendor update
  40 -publication prefers to happen Tuesday through Thursday. When appropriate,
  41 -the security team can assist with this coordination, or the reporter can
  42 -include linux-distros from the start. In this case, remember to prefix
  43 -the email Subject line with "[vs]" as described in the linux-distros wiki:
  44 -<http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists>
  45 +The kernel security team strongly recommends that reporters of potential
  46 +security issues NEVER contact the "linux-distros" mailing list until
  47 +AFTER discussing it with the kernel security team.  Do not Cc: both
  48 +lists at once.  You may contact the linux-distros mailing list after a
  49 +fix has been agreed on and you fully understand the requirements that
  50 +doing so will impose on you and the kernel community.
  51 +
  52 +The different lists have different goals and the linux-distros rules do
  53 +not contribute to actually fixing any potential security problems.
  54
  55  CVE assignment
  56  --------------