Re: Proper procedure for reporting possible security vulnerabilities?

From: Florian Weimer
Date: Tue Jan 11 2005 - 04:51:22 EST


* Jesper Juhl:

> I don't know what other people would do or what the general feeling on
> the list is, but personally I'd send such reports to the maintainer and
> CC lkml, if there is no maintainer I'd just send to lkml.

Nevertheless, it would be good to have a designated security contact
just in case, when something is discovered that needs a more
coordinated form of disclosure. Death by a single IP packet in the
default configuration, for example.

Local privilege escalation (or even denial-of-service) is not really
relevant. We know from experience that Linux does not enforce local
account separation and won't do so for the forseeable future, and the
prudent don't rely on it.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/