[kernel-sec-discuss] r4822 - active
Ben Hutchings
benh at moszumanska.debian.org
Thu Dec 29 03:45:11 UTC 2016
Author: benh
Date: 2016-12-29 03:45:11 +0000 (Thu, 29 Dec 2016)
New Revision: 4822
Modified:
active/CVE-2016-8645
active/CVE-2016-8650
active/CVE-2016-8655
active/CVE-2016-9178
active/CVE-2016-9555
active/CVE-2016-9576
active/CVE-2016-9756
active/CVE-2016-9793
active/CVE-2016-9794
Log:
Mark issues pending for jessie
Modified: active/CVE-2016-8645
===================================================================
--- active/CVE-2016-8645 2016-12-29 00:02:58 UTC (rev 4821)
+++ active/CVE-2016-8645 2016-12-29 03:45:11 UTC (rev 4822)
@@ -21,5 +21,5 @@
3.16-upstream-stable: needed
3.2-upstream-stable: needed
sid: released (4.8.11-1) [2b5f22e4f7fd208c8d392e5c3755cea1f562cb98]
-3.16-jessie-security: needed
+3.16-jessie-security: pending (3.16.39-1) [bugfix/all/tcp-take-care-of-truncations-done-by-sk_filter.patch]
3.2-wheezy-security: needed
Modified: active/CVE-2016-8650
===================================================================
--- active/CVE-2016-8650 2016-12-29 00:02:58 UTC (rev 4821)
+++ active/CVE-2016-8650 2016-12-29 03:45:11 UTC (rev 4822)
@@ -8,5 +8,5 @@
3.16-upstream-stable: needed
3.2-upstream-stable: N/A "Vulnerable code introduced in 3.3-rc1 with cdec9cb5167ab1113ba9c58e395f664d9d3f9acb"
sid: released (4.8.11-1) [bugfix/all/mpi-Fix-NULL-ptr-dereference-in-mpi_powm-ver-3.patch]
-3.16-jessie-security: needed
+3.16-jessie-security: pending (3.16.39-1) [bugfix/all/mpi-fix-null-ptr-dereference-in-mpi_powm-ver-3.patch]
3.2-wheezy-security: N/A "Vulnerable code not present"
Modified: active/CVE-2016-8655
===================================================================
--- active/CVE-2016-8655 2016-12-29 00:02:58 UTC (rev 4821)
+++ active/CVE-2016-8655 2016-12-29 03:45:11 UTC (rev 4822)
@@ -10,5 +10,5 @@
3.16-upstream-stable: needed
3.2-upstream-stable: needed
sid: released (4.8.15-1)
-3.16-jessie-security: needed
+3.16-jessie-security: pending (3.16.39-1) [bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch]
3.2-wheezy-security: pending (3.2.84-1) [bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch]
Modified: active/CVE-2016-9178
===================================================================
--- active/CVE-2016-9178 2016-12-29 00:02:58 UTC (rev 4821)
+++ active/CVE-2016-9178 2016-12-29 03:45:11 UTC (rev 4822)
@@ -13,5 +13,5 @@
3.16-upstream-stable: needed
3.2-upstream-stable: needed
sid: released (4.7.5-1)
-3.16-jessie-security: needed
+3.16-jessie-security: pending (3.16.39-1) [bugfix/x86/fix-potential-infoleak-in-older-kernels.patch]
3.2-wheezy-security: pending (3.2.84-1) [bugfix/x86/fix-potential-infoleak-in-older-kernels.patch]
Modified: active/CVE-2016-9555
===================================================================
--- active/CVE-2016-9555 2016-12-29 00:02:58 UTC (rev 4821)
+++ active/CVE-2016-9555 2016-12-29 03:45:11 UTC (rev 4822)
@@ -6,5 +6,5 @@
3.16-upstream-stable: needed
3.2-upstream-stable: needed
sid: released (4.8.11-1)
-3.16-jessie-security: needed
+3.16-jessie-security: pending (3.16.39-1) [bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch]
3.2-wheezy-security: pending (3.2.84-1) [bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch]
Modified: active/CVE-2016-9576
===================================================================
--- active/CVE-2016-9576 2016-12-29 00:02:58 UTC (rev 4821)
+++ active/CVE-2016-9576 2016-12-29 03:45:11 UTC (rev 4822)
@@ -6,14 +6,13 @@
bwh> When the CVE was assigned this was claimed to be fixed by commit
bwh> a0ac402cfcdc "Don't feed anything but regular iovec's to
bwh> blk_rq_map_user_iov". That very likely addreses similar
- bwh> vulnerabilities in other drivers. But sg doesn't implement
- bwh> splice itself, and always passes iovecs. It looks like commit
- bwh> 128394eff343 "sg_write()/bsg_write() is not fit to be called
- bwh> under KERNEL_DS" is the real fix for this.
+ bwh> vulnerabilities in other drivers, but doesn't completely fix
+ bwh> this. Commit 128394eff343 "sg_write()/bsg_write() is not fit
+ bwh> to be called under KERNEL_DS" is a complete fix for sg and bsg.
Bugs:
upstream: released (4.10-rc1) [128394eff343fc6d2f32172f03e24829539c5835]
3.16-upstream-stable: needed
3.2-upstream-stable: needed
sid: needed
-3.16-jessie-security: needed
+3.16-jessie-security: pending (3.16.39-1) [bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch]
3.2-wheezy-security: pending (3.2.84-1) [bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch]
Modified: active/CVE-2016-9756
===================================================================
--- active/CVE-2016-9756 2016-12-29 00:02:58 UTC (rev 4821)
+++ active/CVE-2016-9756 2016-12-29 03:45:11 UTC (rev 4822)
@@ -7,5 +7,5 @@
3.16-upstream-stable: needed
3.2-upstream-stable: needed
sid: released (4.8.15-1)
-3.16-jessie-security: needed
+3.16-jessie-security: pending (3.16.39-1) [bugfix/x86/kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret.patch]
3.2-wheezy-security: pending (3.2.84-1) [bugfix/x86/kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret.patch]
Modified: active/CVE-2016-9793
===================================================================
--- active/CVE-2016-9793 2016-12-29 00:02:58 UTC (rev 4821)
+++ active/CVE-2016-9793 2016-12-29 03:45:11 UTC (rev 4822)
@@ -9,5 +9,5 @@
3.16-upstream-stable: needed
3.2-upstream-stable: needed
sid: released (4.8.15-1)
-3.16-jessie-security: needed
+3.16-jessie-security: pending (3.16.39-1) [bugfix/all/net-avoid-signed-overflows-for-so_-snd-rcv-bufforce.patch]
3.2-wheezy-security: pending (3.2.84-1) [bugfix/all/net-avoid-signed-overflows-for-so_-snd-rcv-bufforce.patch]
Modified: active/CVE-2016-9794
===================================================================
--- active/CVE-2016-9794 2016-12-29 00:02:58 UTC (rev 4821)
+++ active/CVE-2016-9794 2016-12-29 03:45:11 UTC (rev 4822)
@@ -6,5 +6,5 @@
3.16-upstream-stable: needed
3.2-upstream-stable: needed
sid: released (4.7.2-1)
-3.16-jessie-security: needed
+3.16-jessie-security: pending (3.16.39-1) [bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch]
3.2-wheezy-security: pending (3.2.84-1) [bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch]
More information about the kernel-sec-discuss
mailing list