On Tue, Jun 4, 2019 at 12:52 AM Greg KH gregkh@linuxfoundation.org wrote:
On Mon, Jun 03, 2019 at 10:31:15AM -0700, Zubin Mithra wrote:
Hello,
CVE-2019-12378 was fixed in the upstream linux kernel with the following commit.
- 95baa60a0da8 ("ipv6_sockglue: Fix a missing-check bug in ip6_ra_control()")
A CVE was created for that tiny thing?
Hah, no, I think I'll refuse to apply it just for the very point of it.
We don't create CVEs, but we do have to get CVE fixes applied to our branches. We don't try to police the creation of CVEs, and we don't try to double-guess them since that would be futile (who guarantees that our double-guessing matches yours ?). We do have a policy to not apply CVEs directly but ask for stable tree merges instead to avoid deviation, and we (more specifically, Zubin) spend a lot of time validating the fixes before sending a request. I just made that official policy, but a policy is not cast in stone. We will stop doing that if we get this kind of response. If that is what you want, let me know.
Zubin, maybe hold back with -stable backport requests for the time being, and just apply missing patches directly to our branches. Sorry for the trouble.
That's something that can not be triggered by normal operations, right? It's a bugfix-for-the-theoritical from what I can see...
Could the patch be applied to v4.19.y, v4.14.y, v4.9.y and v4.4.y?
Why are you ignoring 5.1?
Probably because no one is perfect.
Thanks, Guenter
thanks,
greg k-h