[kernel-sec-discuss] r4822 - active

Ben Hutchings benh at moszumanska.debian.org
Thu Dec 29 03:45:11 UTC 2016 

Author: benh
Date: 2016-12-29 03:45:11 +0000 (Thu, 29 Dec 2016)
New Revision: 4822

Modified:
   active/CVE-2016-8645
   active/CVE-2016-8650
   active/CVE-2016-8655
   active/CVE-2016-9178
   active/CVE-2016-9555
   active/CVE-2016-9576
   active/CVE-2016-9756
   active/CVE-2016-9793
   active/CVE-2016-9794
Log:
Mark issues pending for jessie

Modified: active/CVE-2016-8645
===================================================================
--- active/CVE-2016-8645	2016-12-29 00:02:58 UTC (rev 4821)
+++ active/CVE-2016-8645	2016-12-29 03:45:11 UTC (rev 4822)
@@ -21,5 +21,5 @@
 3.16-upstream-stable: needed
 3.2-upstream-stable: needed
 sid: released (4.8.11-1) [2b5f22e4f7fd208c8d392e5c3755cea1f562cb98]
-3.16-jessie-security: needed
+3.16-jessie-security: pending (3.16.39-1) [bugfix/all/tcp-take-care-of-truncations-done-by-sk_filter.patch]
 3.2-wheezy-security: needed

Modified: active/CVE-2016-8650
===================================================================
--- active/CVE-2016-8650	2016-12-29 00:02:58 UTC (rev 4821)
+++ active/CVE-2016-8650	2016-12-29 03:45:11 UTC (rev 4822)
@@ -8,5 +8,5 @@
 3.16-upstream-stable: needed
 3.2-upstream-stable: N/A "Vulnerable code introduced in 3.3-rc1 with cdec9cb5167ab1113ba9c58e395f664d9d3f9acb"
 sid: released (4.8.11-1) [bugfix/all/mpi-Fix-NULL-ptr-dereference-in-mpi_powm-ver-3.patch]
-3.16-jessie-security: needed
+3.16-jessie-security: pending (3.16.39-1) [bugfix/all/mpi-fix-null-ptr-dereference-in-mpi_powm-ver-3.patch]
 3.2-wheezy-security: N/A "Vulnerable code not present"

Modified: active/CVE-2016-8655
===================================================================
--- active/CVE-2016-8655	2016-12-29 00:02:58 UTC (rev 4821)
+++ active/CVE-2016-8655	2016-12-29 03:45:11 UTC (rev 4822)
@@ -10,5 +10,5 @@
 3.16-upstream-stable: needed
 3.2-upstream-stable: needed
 sid: released (4.8.15-1)
-3.16-jessie-security: needed
+3.16-jessie-security: pending (3.16.39-1) [bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch]
 3.2-wheezy-security: pending (3.2.84-1) [bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch]

Modified: active/CVE-2016-9178
===================================================================
--- active/CVE-2016-9178	2016-12-29 00:02:58 UTC (rev 4821)
+++ active/CVE-2016-9178	2016-12-29 03:45:11 UTC (rev 4822)
@@ -13,5 +13,5 @@
 3.16-upstream-stable: needed
 3.2-upstream-stable: needed
 sid: released (4.7.5-1)
-3.16-jessie-security: needed
+3.16-jessie-security: pending (3.16.39-1) [bugfix/x86/fix-potential-infoleak-in-older-kernels.patch]
 3.2-wheezy-security: pending (3.2.84-1) [bugfix/x86/fix-potential-infoleak-in-older-kernels.patch]

Modified: active/CVE-2016-9555
===================================================================
--- active/CVE-2016-9555	2016-12-29 00:02:58 UTC (rev 4821)
+++ active/CVE-2016-9555	2016-12-29 03:45:11 UTC (rev 4822)
@@ -6,5 +6,5 @@
 3.16-upstream-stable: needed
 3.2-upstream-stable: needed
 sid: released (4.8.11-1)
-3.16-jessie-security: needed
+3.16-jessie-security: pending (3.16.39-1) [bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch]
 3.2-wheezy-security: pending (3.2.84-1) [bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch]

Modified: active/CVE-2016-9576
===================================================================
--- active/CVE-2016-9576	2016-12-29 00:02:58 UTC (rev 4821)
+++ active/CVE-2016-9576	2016-12-29 03:45:11 UTC (rev 4822)
@@ -6,14 +6,13 @@
  bwh> When the CVE was assigned this was claimed to be fixed by commit
  bwh> a0ac402cfcdc "Don't feed anything but regular iovec's to
  bwh> blk_rq_map_user_iov".  That very likely addreses similar
- bwh> vulnerabilities in other drivers.  But sg doesn't implement
- bwh> splice itself, and always passes iovecs.  It looks like commit
- bwh> 128394eff343 "sg_write()/bsg_write() is not fit to be called
- bwh> under KERNEL_DS" is the real fix for this.
+ bwh> vulnerabilities in other drivers, but doesn't completely fix
+ bwh> this.  Commit 128394eff343 "sg_write()/bsg_write() is not fit
+ bwh> to be called under KERNEL_DS" is a complete fix for sg and bsg.
 Bugs:
 upstream: released (4.10-rc1) [128394eff343fc6d2f32172f03e24829539c5835]
 3.16-upstream-stable: needed
 3.2-upstream-stable: needed
 sid: needed
-3.16-jessie-security: needed
+3.16-jessie-security: pending (3.16.39-1) [bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch]
 3.2-wheezy-security: pending (3.2.84-1) [bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch]

Modified: active/CVE-2016-9756
===================================================================
--- active/CVE-2016-9756	2016-12-29 00:02:58 UTC (rev 4821)
+++ active/CVE-2016-9756	2016-12-29 03:45:11 UTC (rev 4822)
@@ -7,5 +7,5 @@
 3.16-upstream-stable: needed
 3.2-upstream-stable: needed
 sid: released (4.8.15-1)
-3.16-jessie-security: needed
+3.16-jessie-security: pending (3.16.39-1) [bugfix/x86/kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret.patch]
 3.2-wheezy-security: pending (3.2.84-1) [bugfix/x86/kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret.patch]

Modified: active/CVE-2016-9793
===================================================================
--- active/CVE-2016-9793	2016-12-29 00:02:58 UTC (rev 4821)
+++ active/CVE-2016-9793	2016-12-29 03:45:11 UTC (rev 4822)
@@ -9,5 +9,5 @@
 3.16-upstream-stable: needed
 3.2-upstream-stable: needed
 sid: released (4.8.15-1)
-3.16-jessie-security: needed
+3.16-jessie-security: pending (3.16.39-1) [bugfix/all/net-avoid-signed-overflows-for-so_-snd-rcv-bufforce.patch]
 3.2-wheezy-security: pending (3.2.84-1) [bugfix/all/net-avoid-signed-overflows-for-so_-snd-rcv-bufforce.patch]

Modified: active/CVE-2016-9794
===================================================================
--- active/CVE-2016-9794	2016-12-29 00:02:58 UTC (rev 4821)
+++ active/CVE-2016-9794	2016-12-29 03:45:11 UTC (rev 4822)
@@ -6,5 +6,5 @@
 3.16-upstream-stable: needed
 3.2-upstream-stable: needed
 sid: released (4.7.2-1)
-3.16-jessie-security: needed
+3.16-jessie-security: pending (3.16.39-1) [bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch]
 3.2-wheezy-security: pending (3.2.84-1) [bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch]

More information about the kernel-sec-discuss mailing list