hngopher.com

       [HN Gopher] The Linux kernel project becomes a CVE numbering aut...
       ___________________________________________________________________
        
       The Linux kernel project becomes a CVE numbering authority
        
       Author : corbet
       Score  : 5 points
       Date   : 2024-02-13 19:14 UTC (3 hours ago)
        
 (HTM) web link (lwn.net)
 (TXT) w3m dump (lwn.net)
        
       | corbet wrote:
       | Just in case anybody is wondering if this is significant...think
       | about the implications of tens of thousands of CVE numbers being
       | assigned for every stable kernel patch. There will have to be
       | changes in the ways people are dealing with these.
        
         | philipwhiuk wrote:
         | The linux CNA will just mean 'bug' and it will be impossible to
         | know how severe any of them are.
        
       | em-bee wrote:
       | after the curl announcement i pretty much saw this one coming.
       | 
       | as i commented there:
       | https://news.ycombinator.com/item?id=39054152
       | 
       | noone should ever be able to file a CVE without the product owner
       | having a say in this.
       | 
       | filing a CVE should always include the party that is responsible
       | for the vulnerability with proper checks and balances.
       | 
       | the current process allows accusing someone without the accused
       | having any ability to defend themselves. it was created with the
       | expectations that only security experts who know what they are
       | doing will file CVEs. that expectation has not held.
       | 
       | this is pretty much why linus torvalds refused to announce when
       | they fix security issues in the linux kernel.
        
         | philipwhiuk wrote:
         | > noone should ever be able to file a CVE without the product
         | owner having a say in this.
         | 
         | That's a really stupid idea. CVEs track security
         | vulnerabilities, not 'security vulnerabilities the product
         | owner is prepared to admit to'.
         | 
         | Imagine if Cisco decided they were going to be the CNA for
         | Cisco devices just weren't going to issue any CVEs for any
         | vulnerabilities in any Cisco devices, regardless of whether
         | they're exploited or not.
        
       | philipwhiuk wrote:
       | Every bugfix in the kernel is now a CVE. That's awful.
       | 
       | Every unfixed security issue is now no longer assigned a CVE
       | until it's fixed. That's even worse.
        
       ___________________________________________________________________
       (page generated 2024-02-13 23:01 UTC)