[kernel-sec-discuss] r4336 - active
Ben Hutchings
benh at moszumanska.debian.org
Mon Apr 25 20:40:31 UTC 2016
Author: benh
Date: 2016-04-25 20:40:31 +0000 (Mon, 25 Apr 2016)
New Revision: 4336
Modified:
active/CVE-2016-2117
active/CVE-2016-2143
active/CVE-2016-2184
active/CVE-2016-2185
active/CVE-2016-2186
active/CVE-2016-2187
active/CVE-2016-3134
active/CVE-2016-3136
active/CVE-2016-3137
active/CVE-2016-3138
active/CVE-2016-3140
active/CVE-2016-3156
active/CVE-2016-3157
active/CVE-2016-3672
active/CVE-2016-3689
active/CVE-2016-3951
active/CVE-2016-3955
active/CVE-2016-3961
Log:
Update status of issues in upstream and 3.{2,16}-upstream stable
Modified: active/CVE-2016-2117
===================================================================
--- active/CVE-2016-2117 2016-04-25 15:10:54 UTC (rev 4335)
+++ active/CVE-2016-2117 2016-04-25 20:40:31 UTC (rev 4336)
@@ -4,10 +4,8 @@
https://bugzilla.novell.com/show_bug.cgi?id=968697
http://mid.gmane.org/0160420222308.GJ3348@decadent.org.uk
Notes:
- bwh> The only affected in-tree driver is atl2, and only starting from 3.10.
- bwh> Sent a patch for this (listed in references).
Bugs:
-upstream: needed
+upstream: released (4.6-rc5) [f43bfaeddc79effbf3d0fcb53ca477cca66f3db8]
3.16-upstream-stable: needed
3.2-upstream-stable: N/A ("scatter/gather cannot be enabled")
sid: pending (4.5.2-1) [bugfix/all/atl2-disable-unimplemented-scatter-gather-feature.patch]
Modified: active/CVE-2016-2143
===================================================================
--- active/CVE-2016-2143 2016-04-25 15:10:54 UTC (rev 4335)
+++ active/CVE-2016-2143 2016-04-25 20:40:31 UTC (rev 4336)
@@ -4,7 +4,7 @@
Introduced since 6252d702c5311ce916caf75ed82e5c8245171c92 (v2.6.25-rc1)
Bugs:
upstream: released (4.5) [3446c13b268af86391d06611327006b059b8bab1]
-3.16-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.35) [s390-mm-four-page-table-levels-vs.-fork.patch]
3.2-upstream-stable: released (3.2.79) [s390-mm-four-page-table-levels-vs.-fork.patch]
sid: released (4.4.6-1)
3.16-jessie-security: pending (3.16.7-ckt25-2+deb8u1) [bugfix/s390/s390-mm-four-page-table-levels-vs.-fork.patch]
Modified: active/CVE-2016-2184
===================================================================
--- active/CVE-2016-2184 2016-04-25 15:10:54 UTC (rev 4335)
+++ active/CVE-2016-2184 2016-04-25 20:40:31 UTC (rev 4336)
@@ -7,7 +7,7 @@
Bugs:
upstream: released (4.6-rc1) [0f886ca12765d20124bd06291c82951fd49a33be, 447d6275f0c21f6cc97a88b3a0c601436a4cdf2a]
3.16-upstream-stable: released (3.16.7-ckt27)
-3.2-upstream-stable: needed
+3.2-upstream-stable: pending (3.2.80) [alsa-usb-audio-fix-null-dereference-in-create_fixed_stream_quirk.patch, alsa-usb-audio-add-sanity-checks-for-endpoint-accesses.patch]
sid: released (4.5.1-1)
3.16-jessie-security: needed
3.2-wheezy-security: needed
Modified: active/CVE-2016-2185
===================================================================
--- active/CVE-2016-2185 2016-04-25 15:10:54 UTC (rev 4335)
+++ active/CVE-2016-2185 2016-04-25 20:40:31 UTC (rev 4336)
@@ -7,7 +7,7 @@
Bugs:
upstream: released (4.6-rc1) [950336ba3e4a1ffd2ca60d29f6ef386dd2c7351d]
3.16-upstream-stable: released (3.16.7-ckt27)
-3.2-upstream-stable: needed
+3.2-upstream-stable: pending (3.2.80) [input-ati_remote2-fix-crashes-on-detecting-device-with-invalid.patch]
sid: released (4.5.1-1)
3.16-jessie-security: needed
3.2-wheezy-security: needed
Modified: active/CVE-2016-2186
===================================================================
--- active/CVE-2016-2186 2016-04-25 15:10:54 UTC (rev 4335)
+++ active/CVE-2016-2186 2016-04-25 20:40:31 UTC (rev 4336)
@@ -7,7 +7,7 @@
Bugs:
upstream: released (4.6-rc1) [9c6ba456711687b794dcf285856fc14e2c76074f]
3.16-upstream-stable: released (3.16.7-ckt27)
-3.2-upstream-stable: needed
+3.2-upstream-stable: pending (3.2.80) [input-powermate-fix-oops-with-malicious-usb-descriptors.patch]
sid: released (4.5.1-1)
3.16-jessie-security: needed
3.2-wheezy-security: needed
Modified: active/CVE-2016-2187
===================================================================
--- active/CVE-2016-2187 2016-04-25 15:10:54 UTC (rev 4335)
+++ active/CVE-2016-2187 2016-04-25 20:40:31 UTC (rev 4336)
@@ -4,8 +4,8 @@
Notes:
Bugs:
upstream: released (4.6-rc5) [162f98dea487206d9ab79fc12ed64700667a894d]
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
+sid: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: needed
Modified: active/CVE-2016-3134
===================================================================
--- active/CVE-2016-3134 2016-04-25 15:10:54 UTC (rev 4335)
+++ active/CVE-2016-3134 2016-04-25 20:40:31 UTC (rev 4336)
@@ -12,8 +12,8 @@
bwh> The upstream fixes (in davem/net.git) are the last two listed above
Bugs:
upstream: released (4.6-rc2) [bdf533de6968e9686df777dc178486f600c6e617, 6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91]
-3.16-upstream-stable: needed
-3.2-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.35) [netfilter-x_tables-validate-e-target_offset-early.patch, netfilter-x_tables-make-sure-e-next_offset-covers-remaining-blob.patch]
+3.2-upstream-stable: pending (3.2.80) [netfilter-x_tables-validate-e-target_offset-early.patch, netfilter-x_tables-make-sure-e-next_offset-covers-remaining-blob.patch]
sid: released (4.5.1-1) [bugfix/all/netfilter-x_tables-validate-e-target_offset-early.patch, bugfix/all/netfilter-x_tables-make-sure-e-next_offset-covers-re.patch]
3.16-jessie-security: needed
3.2-wheezy-security: needed
Modified: active/CVE-2016-3136
===================================================================
--- active/CVE-2016-3136 2016-04-25 15:10:54 UTC (rev 4335)
+++ active/CVE-2016-3136 2016-04-25 20:40:31 UTC (rev 4336)
@@ -5,8 +5,8 @@
Notes:
Bugs:
upstream: released (4.6-rc3) [4e9a0b05257f29cf4b75f3209243ed71614d062e]
-3.16-upstream-stable: needed
-3.2-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.35) [usb-mct_u232-add-sanity-checking-in-probe.patch]
+3.2-upstream-stable: pending (3.2.80) [usb-mct_u232-add-sanity-checking-in-probe.patch]
sid: released (4.5.1-1)
3.16-jessie-security: needed
3.2-wheezy-security: needed
Modified: active/CVE-2016-3137
===================================================================
--- active/CVE-2016-3137 2016-04-25 15:10:54 UTC (rev 4335)
+++ active/CVE-2016-3137 2016-04-25 20:40:31 UTC (rev 4336)
@@ -5,8 +5,8 @@
Notes:
Bugs:
upstream: released (4.6-rc3) [c55aee1bf0e6b6feec8b2927b43f7a09a6d5f754]
-3.16-upstream-stable: needed
-3.2-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.35) [usb-cypress_m8-add-endpoint-sanity-check.patch]
+3.2-upstream-stable: pending (3.2.80) [usb-cypress_m8-add-endpoint-sanity-check.patch]
sid: released (4.5.1-1)
3.16-jessie-security: needed
3.2-wheezy-security: needed
Modified: active/CVE-2016-3138
===================================================================
--- active/CVE-2016-3138 2016-04-25 15:10:54 UTC (rev 4335)
+++ active/CVE-2016-3138 2016-04-25 20:40:31 UTC (rev 4336)
@@ -6,7 +6,7 @@
Bugs:
upstream: released (4.6-rc1) [8835ba4a39cf53f705417b3b3a94eb067673f2c9]
3.16-upstream-stable: released (3.16.7-ckt27)
-3.2-upstream-stable: needed
+3.2-upstream-stable: pending (3.2.80) [usb-cdc-acm-more-sanity-checking.patch]
sid: released (4.5.1-1)
3.16-jessie-security: needed
3.2-wheezy-security: needed
Modified: active/CVE-2016-3140
===================================================================
--- active/CVE-2016-3140 2016-04-25 15:10:54 UTC (rev 4335)
+++ active/CVE-2016-3140 2016-04-25 20:40:31 UTC (rev 4336)
@@ -6,8 +6,8 @@
Proposed patch: http://marc.info/?l=linux-usb&m=145796765030590&w=2
Bugs:
upstream: released (4.6-rc3) [5a07975ad0a36708c6b0a5b9fea1ff811d0b0c1f]
-3.16-upstream-stable: needed
-3.2-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.35) [usb-digi_acceleport-do-sanity-checking-for-the-number-of-ports.patch]
+3.2-upstream-stable: pending (3.2.80) [usb-digi_acceleport-do-sanity-checking-for-the-number-of-ports.patch]
sid: released (4.5.1-1)
3.16-jessie-security: needed
3.2-wheezy-security: needed
Modified: active/CVE-2016-3156
===================================================================
--- active/CVE-2016-3156 2016-04-25 15:10:54 UTC (rev 4335)
+++ active/CVE-2016-3156 2016-04-25 20:40:31 UTC (rev 4336)
@@ -4,7 +4,7 @@
Bugs:
upstream: released (4.6-rc1) [fbd40ea0180a2d328c5adc61414dc8bab9335ce2]
3.16-upstream-stable: released (3.16.7-ckt27)
-3.2-upstream-stable: needed
+3.2-upstream-stable: pending (3.2.80) [ipv4-don-t-do-expensive-useless-work-during-inetdev-destroy.patch]
sid: released (4.5.1-1) [bugfix/all/ipv4-don-t-do-expensive-useless-work-during-inetdev-.patch]
3.16-jessie-security: needed
3.2-wheezy-security: needed
Modified: active/CVE-2016-3157
===================================================================
--- active/CVE-2016-3157 2016-04-25 15:10:54 UTC (rev 4335)
+++ active/CVE-2016-3157 2016-04-25 20:40:31 UTC (rev 4336)
@@ -4,8 +4,8 @@
Notes:
Bugs:
upstream: released (4.6-rc1) [b7a584598aea7ca73140cb87b40319944dd3393f]
-3.16-upstream-stable: needed
-3.2-upstream-stable: needed
+3.16-upstream-stable: released (3.16.7-ckt27)
+3.2-upstream-stable: pending (3.2.80) [x86-iopl-64-properly-context-switch-iopl-on-xen-pv.patch]
sid: released (4.5.1-1)
3.16-jessie-security: pending (3.16.7-ckt25-2+deb8u1) [bugfix/x86/x86-iopl-64-properly-context-switch-iopl-on-xen-pv.patch]
3.2-wheezy-security: pending (3.2.78-1+deb7u1) [bugfix/x86/x86-iopl-64-properly-context-switch-iopl-on-xen-pv.patch]
Modified: active/CVE-2016-3672
===================================================================
--- active/CVE-2016-3672 2016-04-25 15:10:54 UTC (rev 4335)
+++ active/CVE-2016-3672 2016-04-25 20:40:31 UTC (rev 4336)
@@ -7,8 +7,8 @@
bwh> probably wait a while before backporting.
Bugs:
upstream: released (4.6-rc1) [8b8addf891de8a00e4d39fc32f93f7c5eb8feceb]
-3.16-upstream-stable: needed
-3.2-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.35) [x86-mm-32-enable-full-randomization-on-i386-and-x86_32.patch]
+3.2-upstream-stable: pending (3.2.80) [x86-mm-32-enable-full-randomization-on-i386-and-x86_32.patch]
sid: released (4.5.1-1) [bugfix/all/x86-mm-32-enable-full-randomization-on-i386-and-x86_.patch]
3.16-jessie-security: needed
3.2-wheezy-security: needed
Modified: active/CVE-2016-3689
===================================================================
--- active/CVE-2016-3689 2016-04-25 15:10:54 UTC (rev 4335)
+++ active/CVE-2016-3689 2016-04-25 20:40:31 UTC (rev 4336)
@@ -3,7 +3,7 @@
Notes:
Bugs:
upstream: released (4.6-rc1) [a0ad220c96692eda76b2e3fd7279f3dcd1d8a8ff]
-3.16-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.35) [input-ims-pcu-sanity-check-against-missing-interfaces.patch]
3.2-upstream-stable: N/A "vulnerable code not present"
sid: released (4.5.1-1)
3.16-jessie-security: N/A "driver is not enabled"
Modified: active/CVE-2016-3951
===================================================================
--- active/CVE-2016-3951 2016-04-25 15:10:54 UTC (rev 4335)
+++ active/CVE-2016-3951 2016-04-25 20:40:31 UTC (rev 4336)
@@ -1,10 +1,11 @@
Description: usbnet: memory corruption triggered by invalid USB descriptor
References:
Notes:
+ bwh> First part was included in 3.16.7-ckt26 and doesn't seem to be needed for 3.2
Bugs:
upstream: released (4.5) [4d06dd537f95683aba3651098ae288b7cbff8274, 1666984c8625b3db19a9abc298931d35ab7bc64b]
-3.16-upstream-stable: needed
-3.2-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.35) [usbnet-cleanup-after-bind-in-probe.patch]
+3.2-upstream-stable: pending (3.2.80) [usbnet-cleanup-after-bind-in-probe.patch]
sid: released (4.5.1-1)
3.16-jessie-security: needed
3.2-wheezy-security: needed
Modified: active/CVE-2016-3955
===================================================================
--- active/CVE-2016-3955 2016-04-25 15:10:54 UTC (rev 4335)
+++ active/CVE-2016-3955 2016-04-25 20:40:31 UTC (rev 4336)
@@ -3,8 +3,8 @@
Notes:
Bugs:
upstream: released (4.6-rc3) [b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: pending (3.16.35) [usb-usbip-fix-potential-out-of-bounds-write.patch]
+3.2-upstream-stable: pending (3.2.80) [usb-usbip-fix-potential-out-of-bounds-write.patch]
sid: pending (4.5.2-1) [bugfix/all/USB-usbip-fix-potential-out-of-bounds-write.patch]
3.16-jessie-security: pending (3.16.7-ckt25-2+deb8u1) [bugfix/all/USB-usbip-fix-potential-out-of-bounds-write.patch]
3.2-wheezy-security: pending (3.2.78-1+deb7u1) [bugfix/all/USB-usbip-fix-potential-out-of-bounds-write.patch]
Modified: active/CVE-2016-3961
===================================================================
--- active/CVE-2016-3961 2016-04-25 15:10:54 UTC (rev 4335)
+++ active/CVE-2016-3961 2016-04-25 20:40:31 UTC (rev 4336)
@@ -3,9 +3,9 @@
http://xenbits.xen.org/xsa/advisory-174.html
Notes:
Bugs:
-upstream: needed
-3.16-upstream-stable:
-3.2-upstream-stable:
+upstream: released (4.6-rc5) [103f6112f253017d7062cd74d17f4a514ed4485c]
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
sid: pending (4.5.2-1) [bugfix/x86/x86-xen-suppress-hugetlbfs-in-PV-guests.patch]
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: needed
+3.2-wheezy-security: needed
More information about the kernel-sec-discuss
mailing list