[kernel-sec-discuss] r4747 - active

Ben Hutchings benh at moszumanska.debian.org
Wed Nov 30 02:13:59 UTC 2016 

Author: benh
Date: 2016-11-30 02:13:59 +0000 (Wed, 30 Nov 2016)
New Revision: 4747

Modified:
   active/CVE-2015-8962
   active/CVE-2015-8963
   active/CVE-2015-8964
   active/CVE-2016-8645
   active/CVE-2016-9555
Log:
Fill in description and status of various issues

Modified: active/CVE-2015-8962
===================================================================
--- active/CVE-2015-8962	2016-11-29 19:32:08 UTC (rev 4746)
+++ active/CVE-2015-8962	2016-11-30 02:13:59 UTC (rev 4747)
@@ -1,10 +1,10 @@
-Description:
+Description: Double-free in sg driver after hot-unplug during I/O
 References:
 Notes:
 Bugs:
 upstream: released (v4.4-rc1) [f3951a3709ff50990bf3e188c27d346792103432]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
 sid: released (4.4.2-1)
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: needed
+3.2-wheezy-security: needed

Modified: active/CVE-2015-8963
===================================================================
--- active/CVE-2015-8963	2016-11-29 19:32:08 UTC (rev 4746)
+++ active/CVE-2015-8963	2016-11-30 02:13:59 UTC (rev 4747)
@@ -1,10 +1,10 @@
-Description:
+Description: Use-after-free in perf subsystem after CPU hot-unplug
 References:
 Notes:
 Bugs:
 upstream: released (4.4) [12ca6ad2e3a896256f086497a7c7406a547ee373]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
 sid: released (4.4.2-1)
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: needed
+3.2-wheezy-security: needed

Modified: active/CVE-2015-8964
===================================================================
--- active/CVE-2015-8964	2016-11-29 19:32:08 UTC (rev 4746)
+++ active/CVE-2015-8964	2016-11-30 02:13:59 UTC (rev 4747)
@@ -1,10 +1,18 @@
-Description:
+Description: Potential information leak or use-after-free in tty subsystem
 References:
+ https://source.android.com/security/bulletin/2016-11-01.html
 Notes:
+ bwh> A known use-after-free bug in N_X25 has already been fixed
+ bwh> (commit ee9159ddce14, no CVE assigned).  The Android security
+ bwh> bulletin says this fixes an information leak, presumably because
+ bwh> if receive_room is too large it will permit reading beyond a
+ bwh> buffer.  We also need commit fd98e9419d8d ("isdn/gigaset: reset
+ bwh> tty->receive_room when attaching ser_gigaset") to avoid a
+ bwh> regression.
 Bugs:
 upstream: released (4.5-rc1) [dd42bf1197144ede075a9d4793123f7689e164bc]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
 sid: released (4.5.1-1)
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: needed
+3.2-wheezy-security: needed

Modified: active/CVE-2016-8645
===================================================================
--- active/CVE-2016-8645	2016-11-29 19:32:08 UTC (rev 4746)
+++ active/CVE-2016-8645	2016-11-30 02:13:59 UTC (rev 4747)
@@ -13,8 +13,8 @@
 Notes:
 Bugs:
 upstream: released (4.9-rc6) [ac6e780070e30e4c35bd395acfe9191e6268bdd3]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
 sid: pending (4.8.11-1) [2b5f22e4f7fd208c8d392e5c3755cea1f562cb98]
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: needed
+3.2-wheezy-security: needed

Modified: active/CVE-2016-9555
===================================================================
--- active/CVE-2016-9555	2016-11-29 19:32:08 UTC (rev 4746)
+++ active/CVE-2016-9555	2016-11-30 02:13:59 UTC (rev 4747)
@@ -3,8 +3,8 @@
 Notes:
 Bugs:
 upstream: released (4.9-rc4) [bf911e985d6bbaa328c20c3e05f4eb03de11fdd6]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
 sid: pending (4.8.11-1)
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: needed
+3.2-wheezy-security: needed

More information about the kernel-sec-discuss mailing list