[kernel-sec-discuss] r4572 - active

Ben Hutchings benh at moszumanska.debian.org
Fri Aug 12 02:03:32 UTC 2016 

Author: benh
Date: 2016-08-12 02:03:32 +0000 (Fri, 12 Aug 2016)
New Revision: 4572

Modified:
   active/CVE-2014-9904
   active/CVE-2016-1583
   active/CVE-2016-4482
   active/CVE-2016-4569
   active/CVE-2016-4578
   active/CVE-2016-5243
   active/CVE-2016-5244
   active/CVE-2016-5412
   active/CVE-2016-5696
   active/CVE-2016-5728
   active/CVE-2016-6130
   active/CVE-2016-6136
Log:
Mark issues pending in {3.2,3.16}-upstream-stable

Modified: active/CVE-2014-9904
===================================================================
--- active/CVE-2014-9904	2016-08-12 00:03:37 UTC (rev 4571)
+++ active/CVE-2014-9904	2016-08-12 02:03:32 UTC (rev 4572)
@@ -3,7 +3,7 @@
 Notes: Introduced in 3.7-rc1 with b35cc8225845112a616e3a2266d2fde5ab13d3ab
 Bugs:
 upstream: released (3.17-rc1) [6217e5ede23285ddfee10d2e4ba0cc2d4c046205]
-3.16-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.37) [alsa-compress-fix-an-integer-overflow-check.patch]
 3.2-upstream-stable: N/A "Introduced with b35cc8225845112a616e3a2266d2fde5ab13d3ab in 3.7-rc1"
 sid: released (4.0.2-1)
 3.16-jessie-security: released (3.16.7-ckt25-2+deb8u3) [bugfix/all/alsa-compress-fix-an-integer-overflow-check.patch]

Modified: active/CVE-2016-1583
===================================================================
--- active/CVE-2016-1583	2016-08-12 00:03:37 UTC (rev 4571)
+++ active/CVE-2016-1583	2016-08-12 02:03:32 UTC (rev 4572)
@@ -24,8 +24,8 @@
  bwh> fix as well.
 Bugs:
 upstream: released (4.7-rc3) [e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9, 2f36db71009304b3f0b95afacd8eba1f9f046b87, 29d6455178a09e1dc340380c582b13356227e8df]
-3.16-upstream-stable: needed
-3.2-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.37) [fs-limit-filesystem-stacking-depth.patch, proc-prevent-stacking-filesystems-on-top.patch, ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch]
+3.2-upstream-stable: pending (3.2.82) [fs-limit-filesystem-stacking-depth.patch, proc-prevent-stacking-filesystems-on-top.patch, ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch]
 sid: released (4.6.2-1) [bugfix/all/proc-prevent-stacking-filesystems-on-top.patch, bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch, bugfix/all/sched-panic-on-corrupted-stack-end.patch]
 3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch, bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch]
 3.2-wheezy-security: released (3.2.81-1) [bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch, bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch]

Modified: active/CVE-2016-4482
===================================================================
--- active/CVE-2016-4482	2016-08-12 00:03:37 UTC (rev 4571)
+++ active/CVE-2016-4482	2016-08-12 02:03:32 UTC (rev 4572)
@@ -7,8 +7,8 @@
  bwh> initialisation.
 Bugs:
 upstream: released (4.7-rc1) [681fef8380eb818c0b845fca5d2ab1dcbab114ee]
-3.16-upstream-stable: needed
-3.2-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.37) [usb-usbfs-fix-potential-infoleak-in-devio.patch]
+3.2-upstream-stable: pending (3.2.82) [usb-usbfs-fix-potential-infoleak-in-devio.patch]
 sid: released (4.5.5-1) [bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch]
 3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch]
 3.2-wheezy-security: released (3.2.81-1) [bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch]

Modified: active/CVE-2016-4569
===================================================================
--- active/CVE-2016-4569	2016-08-12 00:03:37 UTC (rev 4571)
+++ active/CVE-2016-4569	2016-08-12 02:03:32 UTC (rev 4572)
@@ -6,8 +6,8 @@
  bwh> struct snd_timer_tread on 32-bit architectures.
 Bugs:
 upstream: released (4.7-rc1) [cec8f96e49d9be372fdb0c3836dcf31ec71e457e]
-3.16-upstream-stable: needed
-3.2-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.37) [alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch]
+3.2-upstream-stable: pending (3.2.82) [alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch]
 sid: released (4.4.5-1) [bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch]
 3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch]
 3.2-wheezy-security: released (3.2.81-1) [bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch]

Modified: active/CVE-2016-4578
===================================================================
--- active/CVE-2016-4578	2016-08-12 00:03:37 UTC (rev 4571)
+++ active/CVE-2016-4578	2016-08-12 02:03:32 UTC (rev 4572)
@@ -5,8 +5,8 @@
  bwh> struct snd_timer_tread on 32-bit architectures.
 Bugs:
 upstream: released (4.7-rc1) [9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6, e4ec8cc8039a7063e24204299b462bd1383184a5]
-3.16-upstream-stable: needed
-3.2-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.37) [alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch, alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch]
+3.2-upstream-stable: pending (3.2.82) [alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch, alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch]
 sid: released (4.5.5-1) [bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch, bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch]
 3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch, bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch]
 3.2-wheezy-security: released (3.2.81-1) [bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch, bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch]

Modified: active/CVE-2016-5243
===================================================================
--- active/CVE-2016-5243	2016-08-12 00:03:37 UTC (rev 4571)
+++ active/CVE-2016-5243	2016-08-12 02:03:32 UTC (rev 4572)
@@ -5,8 +5,8 @@
  bwh> In kernel versions older than 4.0 the bug is in tipc_node_get_links()
 Bugs:
 upstream: released (4.7-rc3) [5d2be1422e02ccd697ccfcd45c85b4a26e6178e2]
-3.16-upstream-stable: needed
-3.2-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.37) [tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch]
+3.2-upstream-stable: pending (3.2.82) [tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch]
 sid: released (4.6.2-1) [bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch]
 3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch]
 3.2-wheezy-security: released (3.2.81-1) [bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch]

Modified: active/CVE-2016-5244
===================================================================
--- active/CVE-2016-5244	2016-08-12 00:03:37 UTC (rev 4571)
+++ active/CVE-2016-5244	2016-08-12 02:03:32 UTC (rev 4572)
@@ -4,8 +4,8 @@
 Notes:
 Bugs:
 upstream: released (4.7-rc3) [4116def2337991b39919f3b448326e21c40e0dbb]
-3.16-upstream-stable: needed
-3.2-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.37) [rds-fix-an-infoleak-in-rds_inc_info_copy.patch]
+3.2-upstream-stable: pending (3.2.82) [rds-fix-an-infoleak-in-rds_inc_info_copy.patch]
 sid: released (4.6.2-1) [bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch]
 3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch]
 3.2-wheezy-security: released (3.2.81-1) [bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch]

Modified: active/CVE-2016-5412
===================================================================
--- active/CVE-2016-5412	2016-08-12 00:03:37 UTC (rev 4571)
+++ active/CVE-2016-5412	2016-08-12 02:03:32 UTC (rev 4572)
@@ -7,8 +7,8 @@
 Notes:
 Bugs:
 upstream: released (4.8-rc1) [93d17397e4e2182fdaad503e2f9da46202c0f1c3]
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-upstream-stable: pending (3.16.37) [kvm-ppc-book3s-hv-save-restore-tm-state-in-h_cede.patch]
+3.2-upstream-stable: N/A "Transactional memory is not supported"
+sid: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: N/A "Transactional memory is not supported"

Modified: active/CVE-2016-5696
===================================================================
--- active/CVE-2016-5696	2016-08-12 00:03:37 UTC (rev 4571)
+++ active/CVE-2016-5696	2016-08-12 02:03:32 UTC (rev 4572)
@@ -8,8 +8,8 @@
  been backported to older versions as well (including 3.2.x)
 Bugs:
 upstream: released (4.7) [75ff39ccc1bd5d3c455b6822ab09e533c551f758]
-3.16-upstream-stable: needed
-3.2-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.37) [tcp-make-challenge-acks-less-predictable.patch]
+3.2-upstream-stable: pending (3.2.82) [tcp-make-challenge-acks-less-predictable.patch]
 sid: needed
 3.16-jessie-security: needed
 3.2-wheezy-security: needed

Modified: active/CVE-2016-5728
===================================================================
--- active/CVE-2016-5728	2016-08-12 00:03:37 UTC (rev 4571)
+++ active/CVE-2016-5728	2016-08-12 02:03:32 UTC (rev 4572)
@@ -17,7 +17,7 @@
 Bugs:
  https://bugzilla.kernel.org/show_bug.cgi?id=116651
 upstream: released (v4.7-rc1) [9bf292bfca94694a721449e3fd752493856710f6]
-3.16-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.37) [misc-mic-fix-for-double-fetch-security-bug-in-vop-driver.patch]
 3.2-upstream-stable: N/A "Vulnerable code introduced in 3.13-rc1 with f69bcbf3b4c4b333dcd7a48eaf868bf0c88edab5"
 sid: released (4.6.1-1) [2a9369456a384d84c521c8ebb48d247e8738f84f]
 3.16-jessie-security: released (3.16.7-ckt25-2+deb8u3) [bugfix/x86/misc-mic-fix-for-double-fetch-security-bug-in-vop-dr.patch]

Modified: active/CVE-2016-6130
===================================================================
--- active/CVE-2016-6130	2016-08-12 00:03:37 UTC (rev 4571)
+++ active/CVE-2016-6130	2016-08-12 02:03:32 UTC (rev 4572)
@@ -4,7 +4,7 @@
 Bugs:
  https://bugzilla.kernel.org/show_bug.cgi?id=116741
 upstream: released (4.6-rc6) [532c34b5fbf1687df63b3fcd5b2846312ac943c6]
-3.16-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.37) [s390-sclp_ctl-fix-potential-information-leak-with-dev-sclp.patch]
 3.2-upstream-stable: N/A "Vulnerable code introduced in 3.11 with d475f942b1dd6a897dac3ad4ed98d6994b275378"
 sid: released (4.6.1-1)
 3.16-jessie-security: released (3.16.7-ckt25-2+deb8u3) [bugfix/s390/s390-sclp_ctl-fix-potential-information-leak-with-de.patch]

Modified: active/CVE-2016-6136
===================================================================
--- active/CVE-2016-6136	2016-08-12 00:03:37 UTC (rev 4571)
+++ active/CVE-2016-6136	2016-08-12 02:03:32 UTC (rev 4572)
@@ -6,8 +6,8 @@
 Notes:
 Bugs:
 upstream: released (4.8-rc1) [43761473c254b45883a64441dd0bc85a42f3645c]
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-upstream-stable: pending (3.16.37) [audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch]
+3.2-upstream-stable: pending (3.2.82) [audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch]
+sid: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: needed

More information about the kernel-sec-discuss mailing list