From a blog post by Greg Kroah-Hartman:
As recently announced, the Linux Kernel Project has been approved as a CVE Numbering Authority (CNA) for vulnerabilities found in Linux.
This is a trend where more open source projects become CNAs, taking over the haphazard assignment of CVEs to projects and preventing other groups from assigning CVEs without involvement. Here's a curl project that does pretty much the same thing for the same reason: I would like to point out the great work the Python project has done in supporting this effort, and the OpenSSF project has also encouraged this and provided documentation and assistance for open source projects to achieve this. I would also like to thank the cve.org group and Board of Directors for making the application process so smooth and providing so much support to make this all possible.
As many of you know, I've talked about CVE many times in the past. Indeed, I think the whole system is broken in many ways. But this change is a way for us to take more responsibility for this and hopefully improve. The process will improve over time. This is also a task where all open source projects seem to be required to follow recent regulations and laws enacted in different parts of the world. So by putting this in the kernel, we can notify all kinds of different CNAs. Create something like an organization if you need it in the future.
Kroah-Hartman links to his post on the kernel mailing list for “more information on how this works in the kernel.”
[D]Almost any bug can be exploited to compromise the security of the Linux kernel within the system, but the potential for exploitation is not obvious by the time the bug is fixed. Often there isn't. Because of this, the CVE assignment team becomes very careful and assigns his CVE number to the bug fixes it identifies. This will be a description of the seemingly numerous CVEs issued by the Linux kernel team…
CVEs are not assigned to unfixed security issues in the Linux kernel. Assignments are made only after the fix is available, as it can be well tracked by the git commit ID of the original fix. Issues found in versions of the kernel that are not currently actively supported by the Stable/LTS kernel team will not be assigned a CVE.
alanw (Slashdot reader #1,822) pointed out an ongoing discussion on LWN.net and is concerned that this could overwhelm the CVE infrastructure.
But Greg Krogh Hartman, reached for comment, believes there may be a misunderstanding. He told Slashdot that CVE Group “explicitly requested this as part of our application… So if they're happy with it, why aren't others?” Is that so?” he said.
