On Sat, Jun 07, 2025 at 10:17:08AM +0200, Greg KH wrote:
On Fri, Jun 06, 2025 at 06:00:09PM +0200, Attila Szasz wrote:
I don't see how Canonical Product Security is a bad actor here for caring
about the actual security of downstream users and acting in a timely
manner about an issue that they considered to impact Ubuntu Linux,
correctly.
Canonical has a scope of
"All Canonical issues (including Ubuntu Linux) only."
kernel.rg has a scope of
"Any vulnerabilities in the Linux kernel as listed on kernel.org, excluding
end-of-life (EOL) versions."
Both of them were contacted.
For the record, the CNA for kernel.org was NOT contacted here at all for
this issue. You sent a message to secur...@kernel.org, NOT
c...@kernel.org. security@k.o has nothing to do with CVE assignments and
is NOT responsible for the kernel.org CNA. Our documentation should
state this very clearly, if not, we will be glad to update it where
needed, just let us know.
The scope, which I assume was quoted from
https://www.cve.org/PartnerInformation/ListofPartners/partner/Linux also
lists c...@kernel.org as the right email to contact.
Note that this isn't just a technicality: for example, I'm a member of
cve@k.o, but *NOT* of security@k.o.
The first I learned of this issue was your Linkedin post[1] after this
was already assigned a CVE from Canonical.
[1]
https://www.linkedin.com/posts/attila-sz%C3%A1sz-086abb122_ssd-advisory-linux-kernel-hfsplus-slab-out-of-bounds-activity-7307735032729690113-Y8uY
--
Thanks,
Sasha
