Effort in getting a CVE for the kernel
Effort in getting a CVE for the kernel
Posted Jun 20, 2024 12:58 UTC (Thu) by msmeissn (subscriber, #13641)In reply to: Effort in getting a CVE for the kernel by farnz
Parent article: How kernel CVE numbers are assigned
The Kernel CNA assigns CVEs to fixes, without kind of even looking if they are actual vulnerabilities.
A limitation in scope of assignment would easily be possible (like no "testsuite problems", "no boot problems")
Posted Jun 20, 2024 13:26 UTC (Thu)
by farnz (subscriber, #17727)
[Link]
My understanding from talking to people who work on the CVE Project itself (rather than at a CNA) is that the word "SHOULD" in this case is meant to be interpreted as "you should normally assign a CVE for all vulnerabilities, fixed or unfixed, but we understand that there are cases where assigning a CVE for an unfixed vulnerability is problematic, and we'll consider your behaviour on a case by case basis".
The intent, however, is that you assign CVEs to all vulnerabilities you know about in the project, even if you only learn about them as part of getting a fix for the vulnerability.
And since you're saying that the kernel CNA assigns CVEs to things that aren't vulnerabilities, can you give a CVE number assigned by the kernel CNA to something that's not a vulnerability at all? Not "minor", or "too hard to exploit", but "not a vulnerability at all".
When should a CNA assign a CVE