[kernel-sec-discuss] r5793 - active
Ben Hutchings
benh at moszumanska.debian.org
Tue Dec 19 22:33:34 UTC 2017
Author: benh
Date: 2017-12-19 22:33:33 +0000 (Tue, 19 Dec 2017)
New Revision: 5793
Modified:
active/CVE-2017-15121
active/CVE-2017-15126
active/CVE-2017-15127
active/CVE-2017-15128
active/CVE-2017-17558
active/CVE-2017-17741
Log:
Fill in status for several issues
Modified: active/CVE-2017-15121
===================================================================
--- active/CVE-2017-15121 2017-12-19 11:43:24 UTC (rev 5792)
+++ active/CVE-2017-15121 2017-12-19 22:33:33 UTC (rev 5793)
@@ -2,12 +2,14 @@
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1520893
Notes:
+ bwh> Red Hat reports this as affecting RHEL 6 (2.6.32ish) and 7 (3.10ish),
+ bwh> so I assume that 3.2 is affected.
Bugs:
upstream: released (3.11-rc1) [5a7203947a1d9b6f3a00a39fda08c2466489555f]
4.9-upstream-stable: N/A "Fixed before branching point"
3.16-upstream-stable: N/A "Fixed before branching point"
-3.2-upstream-stable:
+3.2-upstream-stable: needed
sid: released (3.11.5-1)
4.9-stretch-security: N/A "Fixed before branching point"
3.16-jessie-security: N/A "Fixed before branching point"
-3.2-wheezy-security:
+3.2-wheezy-security: needed
Modified: active/CVE-2017-15126
===================================================================
--- active/CVE-2017-15126 2017-12-19 11:43:24 UTC (rev 5792)
+++ active/CVE-2017-15126 2017-12-19 22:33:33 UTC (rev 5793)
@@ -2,12 +2,14 @@
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1523481
Notes:
+ bwh> Introduced in 4.11 by commit 893e26e61d04 "userfaultfd: non-cooperative:
+ bwh> Add fork() event".
Bugs:
upstream: released (4.14-rc4) [384632e67e0829deb8015ee6ad916b180049d252]
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
+4.9-upstream-stable: N/A "Vulnerable code not present"
+3.16-upstream-stable: N/A "Vulnerable code not present"
+3.2-upstream-stable: N/A "Vulnerable code not present"
sid: released (4.13.10-1)
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+4.9-stretch-security: N/A "Vulnerable code not present"
+3.16-jessie-security: N/A "Vulnerable code not present"
+3.2-wheezy-security: N/A "Vulnerable code not present"
Modified: active/CVE-2017-15127
===================================================================
--- active/CVE-2017-15127 2017-12-19 11:43:24 UTC (rev 5792)
+++ active/CVE-2017-15127 2017-12-19 22:33:33 UTC (rev 5793)
@@ -2,12 +2,14 @@
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1525218
Notes:
+ bwh> Appears to have been introduced in 4.11 by commit 8fb5debc5fcd "userfaultfd:
+ bwh> hugetlbfs: add hugetlb_mcopy_atomic_pte for userfaultfd support".
Bugs:
upstream: released (4.13-rc5) [5af10dfd0afc559bb4b0f7e3e8227a1578333995]
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid: released (3.13.4-1)
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+4.9-upstream-stable: N/A "Vulnerable code not present"
+3.16-upstream-stable: N/A "Vulnerable code not present"
+3.2-upstream-stable: N/A "Vulnerable code not present"
+sid: released (4.13.4-1)
+4.9-stretch-security: N/A "Vulnerable code not present"
+3.16-jessie-security: N/A "Vulnerable code not present"
+3.2-wheezy-security: N/A "Vulnerable code not present"
Modified: active/CVE-2017-15128
===================================================================
--- active/CVE-2017-15128 2017-12-19 11:43:24 UTC (rev 5792)
+++ active/CVE-2017-15128 2017-12-19 22:33:33 UTC (rev 5793)
@@ -2,12 +2,14 @@
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1525222
Notes:
+ bwh> The affected function was added in 4.11 by commit 8fb5debc5fcd "userfaultfd:
+ bwh> hugetlbfs: add hugetlb_mcopy_atomic_pte for userfaultfd support".
Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+upstream: needed
+4.9-upstream-stable: N/A "Vulnerable code not present"
+3.16-upstream-stable: N/A "Vulnerable code not present"
+3.2-upstream-stable: N/A "Vulnerable code not present"
+sid: needed
+4.9-stretch-security: N/A "Vulnerable code not present"
+3.16-jessie-security: N/A "Vulnerable code not present"
+3.2-wheezy-security: N/A "Vulnerable code not present"
Modified: active/CVE-2017-17558
===================================================================
--- active/CVE-2017-17558 2017-12-19 11:43:24 UTC (rev 5792)
+++ active/CVE-2017-17558 2017-12-19 22:33:33 UTC (rev 5793)
@@ -3,12 +3,13 @@
http://www.openwall.com/lists/oss-security/2017/12/12/7
https://www.spinics.net/lists/linux-usb/msg163644.html
Notes:
+ bwh> This appears to pre-date git history.
Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+upstream: released (4.15-rc4) [48a4ff1c7bb5a32d2e396b03132d20d552c0eca7]
+4.9-upstream-stable: needed
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
+sid: needed
+4.9-stretch-security: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: needed
Modified: active/CVE-2017-17741
===================================================================
--- active/CVE-2017-17741 2017-12-19 11:43:24 UTC (rev 5792)
+++ active/CVE-2017-17741 2017-12-19 22:33:33 UTC (rev 5793)
@@ -3,12 +3,15 @@
https://www.spinics.net/lists/kvm/msg160710.html
https://www.spinics.net/lists/kvm/msg160796.html
Notes:
+ bwh> This appears to only affect the write_mmio tracepoint, so it won't do any
+ bwh> harm unless that tracepoint is enabled. Introduced in 2.6.32 by commit
+ bwh> aec51dc4f158 "KVM: Trace mmio".
Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+upstream: pending [e39d200fa5bf5b94a0948db0dae44c1b73b84a56]
+4.9-upstream-stable: needed
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
+sid: needed
+4.9-stretch-security: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: needed
More information about the kernel-sec-discuss
mailing list