The kernel becomes its own CNA

Greg Kroah-Hartman has announcedthat the kernel project has been accepted as a CVE numbering authority(CNA). The way that CVE numbers will be handled by the kernel is describedin thisdocumentation patch:

As part of the normal stable release process, kernel changes thatare potentially security issues are identified by the developersresponsible for CVE number assignments and have CVE numbersautomatically assigned to them. These assignments are published onthe linux-cve mailing list as announcements on a frequent basis.

Note, due to the layer at which the Linux kernel is in a system,almost any bug might be exploitable to compromise the security ofthe kernel, but the possibility of exploitation is often notevident when the bug is fixed. Because of this, the CVE assignmentteam are overly cautious and assign CVE numbers to any bugfix thatthey identify. This explains the seemingly large number of CVEsthat are issued by the Linux kernel team.