* Dan Carpenter <dan.carpen...@oracle.com> wrote:
> On Fri, Dec 13, 2013 at 11:31:48AM +0100, Alexander Holler wrote:
> > I've never seen a comment inside the kernel sources which does point
> > to a CVE, so I assume there already does exists some agreement about
> > not doing so.
>
> We do occasionally put CVE numbers in the commit message, but
> normally the commit comes first before we ask for a CVE number.
The detection code will most likely come after the fix is applied.
In that case the 'ID' of the message could also be the commit ID of
the fix in question:
detect_exploit("[exploit for d8af4ce490e9: Fix syscall bug]")
or so - no CVE needed, it's a free form ID that can contain anything
descriptive about the bug the attacker attempted to exploit.
Thanks,
Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
