[kernel-sec-discuss] r3693 - active retired

Ben Hutchings benh at moszumanska.debian.org
Sun Feb 22 05:33:59 UTC 2015 

Author: benh
Date: 2015-02-22 05:33:59 +0000 (Sun, 22 Feb 2015)
New Revision: 3693

Added:
   retired/CVE-2014-9419
   retired/CVE-2014-9529
Removed:
   active/CVE-2014-9419
   active/CVE-2014-9529
Log:
Retire CVE-2014-9419, CVE-2014-9529

Deleted: active/CVE-2014-9419
===================================================================
--- active/CVE-2014-9419	2015-02-22 05:32:25 UTC (rev 3692)
+++ active/CVE-2014-9419	2015-02-22 05:33:59 UTC (rev 3693)
@@ -1,17 +0,0 @@
-Description: x86_64: userspace address leak
-References:
-Notes:
- bwh> This depends on fixes to FPU state management that have not been
- bwh> applied to 2.6.32.y.  In order to fix it, we would need to either
- bwh> pick only commit b3b0870ef3ff ("i387: do not preload FPU state at
- bwh> task switch time") which will hurt FP performance, or backport a
- bwh> large number of changes.  I did prepare a backport but don't feel
- bwh> confident enough to use it.
-Bugs:
-upstream: released (v3.19-rc1) [f647d7c155f069c1a068030255c300663516420e]
-2.6.32-upstream-stable: ignored ("complete fix is too invasive to backport")
-sid: released (3.16.7-ckt4-1)
-3.2-wheezy-security: released (3.2.65-1+deb7u1) [bugfix/x86/x86_64-switch_to-load-tls-descriptors-before-switchi.patch]
-2.6.32-squeeze-security: ignored ("complete fix is too invasive to backport")
-3.16-upstream-stable: released (3.16.7-ckt4)
-3.2-upstream-stable: released (3.2.67) [x86_64-switch_to-load-tls-descriptors-before-switching-ds-and-es.patch]

Deleted: active/CVE-2014-9529
===================================================================
--- active/CVE-2014-9529	2015-02-22 05:32:25 UTC (rev 3692)
+++ active/CVE-2014-9529	2015-02-22 05:33:59 UTC (rev 3693)
@@ -1,12 +0,0 @@
-Description: security/keys/gc.c race condition
-References:
- http://marc.info/?l=linux-kernel&m=141986398232547&w=2
-Notes:
-Bugs:
-upstream: released (3.19-rc4) [a3a8784454692dd72e5d5d34dcdab17b4420e74c]
-2.6.32-upstream-stable: N/A "Vulnerable code not present"
-sid: released (3.16.7-ckt4-1)
-3.2-wheezy-security: released (3.2.65-1+deb7u1) [bugfix/all/keys-close-race-between-key-lookup-and-freeing.patch]
-2.6.32-squeeze-security: N/A "Vulnerable code not present"
-3.16-upstream-stable: released (3.16.7-ckt4)
-3.2-upstream-stable: released (3.2.67) [keys-close-race-between-key-lookup-and-freeing.patch]

Copied: retired/CVE-2014-9419 (from rev 3692, active/CVE-2014-9419)
===================================================================
--- retired/CVE-2014-9419	                        (rev 0)
+++ retired/CVE-2014-9419	2015-02-22 05:33:59 UTC (rev 3693)
@@ -0,0 +1,17 @@
+Description: x86_64: userspace address leak
+References:
+Notes:
+ bwh> This depends on fixes to FPU state management that have not been
+ bwh> applied to 2.6.32.y.  In order to fix it, we would need to either
+ bwh> pick only commit b3b0870ef3ff ("i387: do not preload FPU state at
+ bwh> task switch time") which will hurt FP performance, or backport a
+ bwh> large number of changes.  I did prepare a backport but don't feel
+ bwh> confident enough to use it.
+Bugs:
+upstream: released (v3.19-rc1) [f647d7c155f069c1a068030255c300663516420e]
+2.6.32-upstream-stable: ignored ("complete fix is too invasive to backport")
+sid: released (3.16.7-ckt4-1)
+3.2-wheezy-security: released (3.2.65-1+deb7u1) [bugfix/x86/x86_64-switch_to-load-tls-descriptors-before-switchi.patch]
+2.6.32-squeeze-security: ignored ("complete fix is too invasive to backport")
+3.16-upstream-stable: released (3.16.7-ckt4)
+3.2-upstream-stable: released (3.2.67) [x86_64-switch_to-load-tls-descriptors-before-switching-ds-and-es.patch]

Copied: retired/CVE-2014-9529 (from rev 3692, active/CVE-2014-9529)
===================================================================
--- retired/CVE-2014-9529	                        (rev 0)
+++ retired/CVE-2014-9529	2015-02-22 05:33:59 UTC (rev 3693)
@@ -0,0 +1,12 @@
+Description: security/keys/gc.c race condition
+References:
+ http://marc.info/?l=linux-kernel&m=141986398232547&w=2
+Notes:
+Bugs:
+upstream: released (3.19-rc4) [a3a8784454692dd72e5d5d34dcdab17b4420e74c]
+2.6.32-upstream-stable: N/A "Vulnerable code not present"
+sid: released (3.16.7-ckt4-1)
+3.2-wheezy-security: released (3.2.65-1+deb7u1) [bugfix/all/keys-close-race-between-key-lookup-and-freeing.patch]
+2.6.32-squeeze-security: N/A "Vulnerable code not present"
+3.16-upstream-stable: released (3.16.7-ckt4)
+3.2-upstream-stable: released (3.2.67) [keys-close-race-between-key-lookup-and-freeing.patch]

More information about the kernel-sec-discuss mailing list