Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <ZlZ8nCsZUZxhKwCf@codewreck.org>
Date: Wed, 29 May 2024 09:53:48 +0900
From: Dominique Martinet <asmadeus@...ewreck.org>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: oss-security@...ts.openwall.com
Subject: List linux CVEs for a given stable release?

Hi Greg,

(Cc-ing oss-security because I think more people there might be
interested than people subscribed to cve@...nel.org and I didn't want to
cross-post to multiple lists)


Up until last month someone had been managing a linuxkernelcves[1][2]
site, but it's somehow gone without a trace (DNS emptied, no message I
could see announcing it anywhere)

[1] https://www.linuxkernelcves.com
[2] https://github.com/nluedtke/linux_kernel_cves


With the new vulns[3] repo I thought I could do similar search there,
but while there are scripts to search by commit ID or by CVE I don't see
anything allowing search for issues affecting a given stable release.

[3] https://git.kernel.org/pub/scm/linux/security/vulns.git/

My motivation here is double:
- We notify our users of notable CVEs fixed on every update to encourage
them to upgrade every time (it's sad, but in the embedded world not
updating is still the norm despite our efforts to make upgrades as
painless as possible... New regulations are coming so hopefully that
will slowly improve, but as of now such motivations help)
- I'm currently not watching patches entering newer stable branches as
closely, so if there are any new CVEs not fixed in the latest 5.10 I'd
like to check if some impact us and will help with backports as possible
(we're a small company so my time is limited, but might as well give
back when I can)


The information is there in the json files, so it's just a matter of
writing some scripts to check them, but I can't believe there's none so
I probably have missed something.

Does someone have such a script that'd list the latest CVEs for a given
tree?

Thanks,
-- 
Dominique Martinet | Asmadeus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.