[kernel-sec-discuss] r4739 - active
Ben Hutchings
benh at moszumanska.debian.org
Mon Nov 28 19:28:34 UTC 2016
Author: benh
Date: 2016-11-28 19:28:33 +0000 (Mon, 28 Nov 2016)
New Revision: 4739
Modified:
active/CVE-2016-7910
active/CVE-2016-7911
active/CVE-2016-7912
active/CVE-2016-7913
active/CVE-2016-7914
active/CVE-2016-7915
active/CVE-2016-7916
active/CVE-2016-7917
active/CVE-2016-8650
active/CVE-2016-9178
Log:
Fill in description and status of various issues
Modified: active/CVE-2016-7910
===================================================================
--- active/CVE-2016-7910 2016-11-28 19:21:47 UTC (rev 4738)
+++ active/CVE-2016-7910 2016-11-28 19:28:33 UTC (rev 4739)
@@ -1,10 +1,10 @@
-Description:
+Description: Use-after-free in /proc/partitions implementation
References:
Notes:
Bugs:
upstream: released (4.8-rc1) [77da160530dd1dc94f6ae15a981f24e5f0021e84]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: released (3.16.39)
+3.2-upstream-stable: released (3.2.84)
sid: released (4.7.2-1)
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: needed
+3.2-wheezy-security: needed
Modified: active/CVE-2016-7911
===================================================================
--- active/CVE-2016-7911 2016-11-28 19:21:47 UTC (rev 4738)
+++ active/CVE-2016-7911 2016-11-28 19:28:33 UTC (rev 4739)
@@ -1,10 +1,11 @@
-Description:
+Description: Use-after-free in ioprio_get() implementation
References:
Notes:
+ bwh> Implementation was in fs/ioprio.c before v3.16
Bugs:
upstream: released (4.7-rc7) 8ba8682107ee2ca3347354e018865d8e1967c5f4]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: released (3.16.37)
+3.2-upstream-stable: needed
sid: released (4.7.2-1)
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: needed
+3.2-wheezy-security: needed
Modified: active/CVE-2016-7912
===================================================================
--- active/CVE-2016-7912 2016-11-28 19:21:47 UTC (rev 4738)
+++ active/CVE-2016-7912 2016-11-28 19:28:33 UTC (rev 4739)
@@ -1,12 +1,12 @@
-Description:
+Description: Use-after-free in USB gadget functionfs
References:
Notes:
carnil> Introduced in 3.15-rc1 with 2e4c7553cd6f9c68bb741582dcb614edcbeca70f
carnil> but might have been backported.
Bugs:
upstream: released (4.6-rc5) [38740a5b87d53ceb89eb2c970150f6e94e00373a]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: needed
+3.2-upstream-stable: N/A "Vulnerable code not present"
sid: released (4.5.3-1)
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: needed
+3.2-wheezy-security: N/A "Vulnerable code not present"
Modified: active/CVE-2016-7913
===================================================================
--- active/CVE-2016-7913 2016-11-28 19:21:47 UTC (rev 4738)
+++ active/CVE-2016-7913 2016-11-28 19:28:33 UTC (rev 4739)
@@ -1,10 +1,12 @@
-Description:
+Description: Use-after-free in xc2028 driver
References:
Notes:
+ bwh> Appears to have been introduced by commit 61a96113de51
+ bwh> "[media] tuner-xc2028: use request_firmware_nowait()" in 3.6
Bugs:
upstream: released (4.6-rc1) [8dfbcc4351a0b6d2f2d77f367552f48ffefafe18]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: released (3.16.35)
+3.2-upstream-stable: N/A "Vulnerable code not present"
sid: released (4.6.1-1)
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: released (3.16.36-1)
+3.2-wheezy-security: N/A "Vulnerable code not present"
Modified: active/CVE-2016-7914
===================================================================
--- active/CVE-2016-7914 2016-11-28 19:21:47 UTC (rev 4738)
+++ active/CVE-2016-7914 2016-11-28 19:28:33 UTC (rev 4739)
@@ -1,10 +1,11 @@
-Description:
+Description: Out-of-bounds read in assoc_array
References:
Notes:
+ bwh> assoc_array was added in v3.13
Bugs:
upstream: released (v4.6-rc4) [8d4a2ec1e0b41b0cf9a0c5cd4511da7f8e4f3de2]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: released (3.16.36)
+3.2-upstream-stable: N/A "Vulnerable code not present"
sid: released (4.5.3-1)
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: released (3.16.36-1)
+3.2-wheezy-security: N/A "Vulnerable code not present"
Modified: active/CVE-2016-7915
===================================================================
--- active/CVE-2016-7915 2016-11-28 19:21:47 UTC (rev 4738)
+++ active/CVE-2016-7915 2016-11-28 19:28:33 UTC (rev 4739)
@@ -1,10 +1,10 @@
-Description:
+Description: Out-of-bounds read in hid-core
References:
Notes:
Bugs:
upstream: released (4.6-rc1) [50220dead1650609206efe91f0cc116132d59b3f]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
sid: released (4.6.1-1)
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: needed
+3.2-wheezy-security: needed
Modified: active/CVE-2016-7916
===================================================================
--- active/CVE-2016-7916 2016-11-28 19:21:47 UTC (rev 4738)
+++ active/CVE-2016-7916 2016-11-28 19:28:33 UTC (rev 4739)
@@ -10,8 +10,8 @@
Notes:
Bugs:
upstream: released (4.6-rc7) [8148a73c9901a8794a50f950083c00ccf97d43b3]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: released (3.16.36)
+3.2-upstream-stable: released (3.2.81)
sid: released (4.5.4-1)
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: released (3.16.36-1)
+3.2-wheezy-security: released (3.2.81-1)
Modified: active/CVE-2016-7917
===================================================================
--- active/CVE-2016-7917 2016-11-28 19:21:47 UTC (rev 4738)
+++ active/CVE-2016-7917 2016-11-28 19:28:33 UTC (rev 4739)
@@ -8,10 +8,12 @@
Notes:
carnil> Introduced in 3.19-rc5 with 9ea2aa8b7dba9e99544c4187cc298face254569f but needs double
carnil> check if backported.
+ bwh> It was backported to 3.16-stable as commit d922a1cee45e (among other
+ bwh> stable branches)
Bugs:
upstream: released (4.5-rc6) [c58d6c93680f28ac58984af61d0a7ebf4319c241]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: needed
+3.2-upstream-stable: N/A "Vulnerable code not present"
sid: released (4.5.1-1)
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: needed
+3.2-wheezy-security: N/A "Vulnerable code not present"
Modified: active/CVE-2016-8650
===================================================================
--- active/CVE-2016-8650 2016-11-28 19:21:47 UTC (rev 4738)
+++ active/CVE-2016-8650 2016-11-28 19:28:33 UTC (rev 4739)
@@ -5,8 +5,8 @@
Notes:
Bugs:
upstream: released (4.9-rc7) [f5527fffff3f002b0a6b376163613b82f69de073]
-3.16-upstream-stable:
+3.16-upstream-stable: needed
3.2-upstream-stable: N/A "Vulnerable code introduced in 3.3-rc1 with cdec9cb5167ab1113ba9c58e395f664d9d3f9acb"
-sid:
-3.16-jessie-security:
+sid: needed
+3.16-jessie-security: needed
3.2-wheezy-security: N/A "Vulnerable code not present"
Modified: active/CVE-2016-9178
===================================================================
--- active/CVE-2016-9178 2016-11-28 19:21:47 UTC (rev 4738)
+++ active/CVE-2016-9178 2016-11-28 19:28:33 UTC (rev 4739)
@@ -9,8 +9,8 @@
carnil> as well. See notes in CVE-2016-9644
Bugs:
upstream: released (4.8-rc7) [1c109fabbd51863475cd12ac206bdd249aee35af]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
sid: released (4.7.5-1)
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: needed
+3.2-wheezy-security: needed
More information about the kernel-sec-discuss
mailing list