[kernel-sec-discuss] r5486 - active

Ben Hutchings benh at moszumanska.debian.org
Thu Aug 17 21:46:14 UTC 2017 

Author: benh
Date: 2017-08-17 21:46:13 +0000 (Thu, 17 Aug 2017)
New Revision: 5486

Modified:
   active/CVE-2017-1000111
   active/CVE-2017-1000112
   active/CVE-2017-10661
   active/CVE-2017-10662
   active/CVE-2017-10663
   active/CVE-2017-12134
   active/CVE-2017-12762
Log:
Fill in issue status

Modified: active/CVE-2017-1000111
===================================================================
--- active/CVE-2017-1000111	2017-08-17 20:33:05 UTC (rev 5485)
+++ active/CVE-2017-1000111	2017-08-17 21:46:13 UTC (rev 5486)
@@ -5,9 +5,9 @@
 Bugs:
 upstream: released (4.13-rc5) [c27927e372f0785f3303e8fad94b85945e2c97b7]
 4.9-upstream-stable: released (4.9.43) [e5841355061332f8b326e098949490345dba776b]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
 sid: released (4.12.6-1) [bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch]
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+4.9-stretch-security: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: needed

Modified: active/CVE-2017-1000112
===================================================================
--- active/CVE-2017-1000112	2017-08-17 20:33:05 UTC (rev 5485)
+++ active/CVE-2017-1000112	2017-08-17 21:46:13 UTC (rev 5486)
@@ -6,9 +6,9 @@
 Bugs:
 upstream: released (4.13-rc5) [85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa]
 4.9-upstream-stable: released (4.9.43) [33dc6a6a85f1d6ce71e7056d009b8a5fcbf10f70]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
 sid: released (4.12.6-1) [bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch]
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+4.9-stretch-security: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: needed

Modified: active/CVE-2017-10661
===================================================================
--- active/CVE-2017-10661	2017-08-17 20:33:05 UTC (rev 5485)
+++ active/CVE-2017-10661	2017-08-17 21:46:13 UTC (rev 5486)
@@ -2,12 +2,14 @@
 References:
  https://source.android.com/security/bulletin/2017-08-01
 Notes:
+ bwh> Bug introduced in 3.0 by commit 99ee5315dac6 "timerfd: Allow timers to
+ bwh> be cancelled when clock was set"
 Bugs:
 upstream: released (4.11-rc1) [1e38da300e1e395a15048b0af1e5305bd91402f6]
 4.9-upstream-stable: released (4.9.27) [00cca9768ebe1ac4ac16366662dd9087b6e5f4e7]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
 sid: released (4.9.30-1)
 4.9-stretch-security: N/A "Fixed before initial release of stretch"
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: needed
+3.2-wheezy-security: needed

Modified: active/CVE-2017-10662
===================================================================
--- active/CVE-2017-10662	2017-08-17 20:33:05 UTC (rev 5485)
+++ active/CVE-2017-10662	2017-08-17 21:46:13 UTC (rev 5486)
@@ -2,12 +2,14 @@
 References:
  https://source.android.com/security/bulletin/2017-08-01
 Notes:
+ bwh> Vulnerable code added in 3.8 by commit 39a53e0ce0df "f2fs: add superblock
+ bwh> and major in-memory structure".
 Bugs:
 upstream: released (4.12-rc1) [b9dd46188edc2f0d1f37328637860bb65a771124]
 4.9-upstream-stable: released (4.9.28) [93862955cbf485215f0677229292d0f358af55fc]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: needed
+3.2-upstream-stable: N/A "Vulnerable code not present"
 sid: released (4.9.30-1)
 4.9-stretch-security: N/A "Fixed before the initial release of Stretch"
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: needed
+3.2-wheezy-security: N/A "Vulnerable code not present"

Modified: active/CVE-2017-10663
===================================================================
--- active/CVE-2017-10663	2017-08-17 20:33:05 UTC (rev 5485)
+++ active/CVE-2017-10663	2017-08-17 21:46:13 UTC (rev 5486)
@@ -3,12 +3,14 @@
  https://source.android.com/security/bulletin/2017-08-01
  https://sourceforge.net/p/linux-f2fs/mailman/message/35835945/
 Notes:
+ bwh> Vulnerable code added in 3.8 by commit 127e670abfa7 "f2fs: add checkpoint
+ bwh> operations".
 Bugs:
 upstream: released (4.13-rc1) [15d3042a937c13f5d9244241c7a9c8416ff6e82a]
 4.9-upstream-stable: released (4.9.42) [0f442c5b2e4ac0b65027ed3374462f1c38675f7e]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: needed
+3.2-upstream-stable: N/A "Vulnerable code not present"
 sid: released (4.12.6-1)
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+4.9-stretch-security: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: N/A "Vulnerable code not present"

Modified: active/CVE-2017-12134
===================================================================
--- active/CVE-2017-12134	2017-08-17 20:33:05 UTC (rev 5485)
+++ active/CVE-2017-12134	2017-08-17 21:46:13 UTC (rev 5486)
@@ -2,12 +2,12 @@
 References:
  https://xenbits.xen.org/xsa/advisory-229.html
 Notes:
-Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+Bugs: #866511
+upstream: needed
+4.9-upstream-stable: needed
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
+sid: needed
+4.9-stretch-security: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: needed

Modified: active/CVE-2017-12762
===================================================================
--- active/CVE-2017-12762	2017-08-17 20:33:05 UTC (rev 5485)
+++ active/CVE-2017-12762	2017-08-17 21:46:13 UTC (rev 5486)
@@ -7,12 +7,14 @@
  carnil> debian/config: Disable ISDN_I4L and related options.
  carnil> we still might apply the patch for the benefit of people
  carnil> building customized kernel from the debian source.
+ bwh> ISDN4Linux is full of bugs like this, so we shouldn't waste time
+ bwh> fixing the few that get reported.
 Bugs:
 upstream: released (4.13-rc4) [9f5af546e6acc30f075828cb58c7f09665033967]
 4.9-upstream-stable: released (4.9.41) [7b3a66739ff01fcd9b8007a18ddd29edd2cb74f7]
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid: needed
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-upstream-stable: ignored "Driver is unfixable"
+3.2-upstream-stable: ignored "Driver is unfixable"
+sid: ignored "Driver is unfixable"
+4.9-stretch-security: ignored  "Driver is unfixable"
+3.16-jessie-security: ignored "Driver is unfixable"
+3.2-wheezy-security: ignored "Driver is unfixable"

More information about the kernel-sec-discuss mailing list