[kernel-sec-discuss] r4658 - active
Ben Hutchings
benh at moszumanska.debian.org
Mon Oct 17 17:49:02 UTC 2016
Author: benh
Date: 2016-10-17 17:49:02 +0000 (Mon, 17 Oct 2016)
New Revision: 4658
Modified:
active/CVE-2015-8955
active/CVE-2015-8956
active/CVE-2016-6327
active/CVE-2016-7042
active/CVE-2016-8658
Log:
Fill in status and description for most outstanding CVEs
Modified: active/CVE-2015-8955
===================================================================
--- active/CVE-2015-8955 2016-10-17 17:04:49 UTC (rev 4657)
+++ active/CVE-2015-8955 2016-10-17 17:49:02 UTC (rev 4658)
@@ -1,10 +1,11 @@
-Description:
+Description: Incomplete validation of hardware perf_events on arm64
References:
Notes:
+ bwh> Minor issue for Debian since we restrict access to perf_event by default
Bugs:
upstream: released (4.1-rc1) [8fff105e13041e49b82f92eef034f363a6b1c071]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: needed
+3.2-upstream-stable: N/A "Vulnerable architecture not present"
sid: released (4.1.3-1)
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: needed
+3.2-wheezy-security: N/A "Vulnerable architecture not present"
Modified: active/CVE-2015-8956
===================================================================
--- active/CVE-2015-8956 2016-10-17 17:04:49 UTC (rev 4657)
+++ active/CVE-2015-8956 2016-10-17 17:49:02 UTC (rev 4658)
@@ -1,10 +1,12 @@
-Description:
+Description: Potential null dereference in rfcomm protocol
References:
Notes:
+ bwh> This is minor for 3.2 as the only dereference is in a conditional
+ bwh> logging statement which is disabled by default.
Bugs:
upstream: released (4.2-rc1) [951b6a0717db97ce420547222647bcc40bf1eacd]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
sid: released (4.2.1-1)
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: needed
+3.2-wheezy-security: needed
Modified: active/CVE-2016-6327
===================================================================
--- active/CVE-2016-6327 2016-10-17 17:04:49 UTC (rev 4657)
+++ active/CVE-2016-6327 2016-10-17 17:49:02 UTC (rev 4658)
@@ -1,10 +1,10 @@
-Description:
+Description: Null dereference in Infiniband SRP target
References:
Notes:
Bugs:
upstream: released (4.6-rc1) [51093254bf879bc9ce96590400a87897c7498463]
-3.16-upstream-stable:
+3.16-upstream-stable: needed
3.2-upstream-stable: N/A "Vulnerable code introduced in 3.8-rc1 with 3e4f574857eebce60bb56d7524f3f9eaa2a126d0"
sid: released (4.6.1-1)
-3.16-jessie-security:
+3.16-jessie-security: needed
3.2-wheezy-security: N/A "Vulnerable code not present"
Modified: active/CVE-2016-7042
===================================================================
--- active/CVE-2016-7042 2016-10-17 17:04:49 UTC (rev 4657)
+++ active/CVE-2016-7042 2016-10-17 17:49:02 UTC (rev 4658)
@@ -5,8 +5,8 @@
Notes:
Bugs:
upstream: needed
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
sid: pending (4.7.7-1) [bugfix/all/KEYS-Fix-short-sprintf-buffer-in-proc-keys-show-func.patch]
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: needed
+3.2-wheezy-security: needed
Modified: active/CVE-2016-8658
===================================================================
--- active/CVE-2016-8658 2016-10-17 17:04:49 UTC (rev 4657)
+++ active/CVE-2016-8658 2016-10-17 17:49:02 UTC (rev 4658)
@@ -1,10 +1,15 @@
-Description:
+Description: Stack buffer overflow in brcmfmac driver
References:
Notes:
+ bwh> Appears to have been introduced in 3.7 by commit 1a8733423975,
+ bwh> contrary to the commit message. Source file was introduced as
+ bwh> drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c, renamed to
+ bwh> drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c and then to
+ bwh> drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
Bugs:
upstream: released (v4.8-rc8) [ded89912156b1a47d940a0c954c43afbabd0c42c]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: needed
+3.2-upstream-stable: N/A "Vulnerable code not present"
sid: released (4.7.5-1)
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: needed
+3.2-wheezy-security: N/A "Vulnerable code not present"
More information about the kernel-sec-discuss
mailing list