[kernel-sec-discuss] r5795 - active

Ben Hutchings benh at moszumanska.debian.org
Tue Dec 19 23:17:42 UTC 2017 

Author: benh
Date: 2017-12-19 23:17:42 +0000 (Tue, 19 Dec 2017)
New Revision: 5795

Modified:
   active/CVE-2017-1000405
   active/CVE-2017-1000407
   active/CVE-2017-15121
   active/CVE-2017-15868
   active/CVE-2017-16526
   active/CVE-2017-16645
   active/CVE-2017-16939
   active/CVE-2017-17448
   active/CVE-2017-17449
   active/CVE-2017-17450
   active/CVE-2017-17558
   active/CVE-2017-8824
Log:
Mark issues pending in stable branches

Modified: active/CVE-2017-1000405
===================================================================
--- active/CVE-2017-1000405	2017-12-19 22:42:16 UTC (rev 5794)
+++ active/CVE-2017-1000405	2017-12-19 23:17:42 UTC (rev 5795)
@@ -11,7 +11,7 @@
 Bugs:
 upstream: released (4.15-rc2) [a8f97366452ed491d13cf1e44241bc0b5740b1f0]
 4.9-upstream-stable: released (4.9.67) [7031ae2ab37d3df53c4a4e9903329a5d38c745ec]
-3.16-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.52) [mm-thp-do-not-make-page-table-dirty-unconditionally-in-touch_pd.patch]
 3.2-upstream-stable: N/A "Vulnerable code not present"
 sid: released (4.14.2-1) [bugfix/all/mm-thp-Do-not-make-page-table-dirty-unconditionally-.patch]
 4.9-stretch-security: released (4.9.65-1)

Modified: active/CVE-2017-1000407
===================================================================
--- active/CVE-2017-1000407	2017-12-19 22:42:16 UTC (rev 5794)
+++ active/CVE-2017-1000407	2017-12-19 23:17:42 UTC (rev 5795)
@@ -6,8 +6,8 @@
 Bugs:
 upstream: released (4.15-rc3) [d59d51f088014f25c2562de59b9abff4f42a7468]
 4.9-upstream-stable: released (4.9.69) [6ead44d4b5b8b1ecfcbd2302f15028dab7774da3]
-3.16-upstream-stable: needed
-3.2-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.52) [kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch]
+3.2-upstream-stable: pending (3.2.97) [kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch]
 sid: needed
 4.9-stretch-security: needed
 3.16-jessie-security: needed

Modified: active/CVE-2017-15121
===================================================================
--- active/CVE-2017-15121	2017-12-19 22:42:16 UTC (rev 5794)
+++ active/CVE-2017-15121	2017-12-19 23:17:42 UTC (rev 5795)
@@ -4,6 +4,8 @@
 Notes:
  bwh> Red Hat reports this as affecting RHEL 6 (2.6.32ish) and 7 (3.10ish),
  bwh> so I assume that 3.2 is affected.
+ bwh> The upstream fix depends on commit d47992f86b30 "mm: change invalidatepage
+ bwh> prototype to accept length" etc.  We'll need something simpler for 3.2.
 Bugs:
 upstream: released (3.11-rc1) [5a7203947a1d9b6f3a00a39fda08c2466489555f]
 4.9-upstream-stable: N/A "Fixed before branching point"

Modified: active/CVE-2017-15868
===================================================================
--- active/CVE-2017-15868	2017-12-19 22:42:16 UTC (rev 5794)
+++ active/CVE-2017-15868	2017-12-19 23:17:42 UTC (rev 5795)
@@ -9,8 +9,8 @@
 Bugs:
 upstream: released (3.19-rc3) [71bb99a02b32b4cc4265118e85f6035ca72923f0]
 4.9-upstream-stable: N/A "Fixed before branching point"
-3.16-upstream-stable: needed
-3.2-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.52) [bluetooth-bnep-bnep_add_connection-should-verify-tha.patch]
+3.2-upstream-stable: pending (3.2.97) [bluetooth-bnep-bnep_add_connection-should-verify-tha.patch]
 sid: released (4.0.2-1)
 4.9-stretch-security: N/A "Fixed before branching point"
 3.16-jessie-security: needed

Modified: active/CVE-2017-16526
===================================================================
--- active/CVE-2017-16526	2017-12-19 22:42:16 UTC (rev 5794)
+++ active/CVE-2017-16526	2017-12-19 23:17:42 UTC (rev 5795)
@@ -8,8 +8,8 @@
 Bugs:
 upstream: released (4.14-rc4) [bbf26183b7a6236ba602f4d6a2f7cade35bba043]
 4.9-upstream-stable: released (4.9.55) [8ff7adb930d4a62f43dfc76220a988a043c510ff]
-3.16-upstream-stable: needed
-3.2-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.52) [uwb-properly-check-kthread_run-return-value.patch]
+3.2-upstream-stable: pending (3.2.97) [uwb-properly-check-kthread_run-return-value.patch]
 sid: released (4.13.10-1)
 4.9-stretch-security: released (4.9.65-1)
 3.16-jessie-security: needed

Modified: active/CVE-2017-16645
===================================================================
--- active/CVE-2017-16645	2017-12-19 22:42:16 UTC (rev 5794)
+++ active/CVE-2017-16645	2017-12-19 23:17:42 UTC (rev 5795)
@@ -6,7 +6,7 @@
 Bugs:
 upstream: released (4.14-rc6) [ea04efee7635c9120d015dcdeeeb6988130cb67a]
 4.9-upstream-stable: released (4.9.63) [9d65d0ea55dcb813cea7df05602f233ad4843baf]
-3.16-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.52) [input-ims-psu-check-if-cdc-union-descriptor-is-sane.patch]
 3.2-upstream-stable: N/A "Vulnerable code not present"
 sid: released (4.14.2-1)
 4.9-stretch-security: released (4.9.65-1)

Modified: active/CVE-2017-16939
===================================================================
--- active/CVE-2017-16939	2017-12-19 22:42:16 UTC (rev 5794)
+++ active/CVE-2017-16939	2017-12-19 23:17:42 UTC (rev 5795)
@@ -6,8 +6,8 @@
 Bugs:
 upstream: released (4.14-rc7) [1137b5e2529a8f5ca8ee709288ecba3e68044df2]
 4.9-upstream-stable: released (4.9.60) [543aabb7d14b2414f40b632e37b0921bd0af3a96]
-3.16-upstream-stable: needed
-3.2-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.52) [ipsec-fix-aborted-xfrm-policy-dump-crash.patch]
+3.2-upstream-stable: pending (3.2.97) [ipsec-fix-aborted-xfrm-policy-dump-crash.patch]
 sid: released (4.13.13-1)
 4.9-stretch-security: released (4.9.65-1)
 3.16-jessie-security: needed

Modified: active/CVE-2017-17448
===================================================================
--- active/CVE-2017-17448	2017-12-19 22:42:16 UTC (rev 5794)
+++ active/CVE-2017-17448	2017-12-19 23:17:42 UTC (rev 5795)
@@ -7,7 +7,7 @@
 Bugs:
 upstream: released (4.15-rc4) [4b380c42f7d00a395feede754f0bc2292eebe6e5]
 4.9-upstream-stable: needed
-3.16-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.52) [netfilter-nfnetlink_cthelper-add-missing-permission-checks.patch]
 3.2-upstream-stable: N/A "User namespaces not supported"
 sid: needed
 4.9-stretch-security: needed

Modified: active/CVE-2017-17449
===================================================================
--- active/CVE-2017-17449	2017-12-19 22:42:16 UTC (rev 5794)
+++ active/CVE-2017-17449	2017-12-19 23:17:42 UTC (rev 5795)
@@ -5,12 +5,14 @@
 Notes:
  bwh> The fix accepted upstream is the second version, which doesn't treat the
  bwh> init namespace as special.
+ bwh> Introduced in 3.11 by commit bcbde0d449ed "net: netlink: virtual tap device
+ bwh> management".
 Bugs:
 upstream: released (4.15-rc4) [93c647643b48f0131f02e45da3bd367d80443291]
 4.9-upstream-stable: needed
-3.16-upstream-stable: needed
-3.2-upstream-stable: ignored "Minor issue as user namespaces not supported"
+3.16-upstream-stable: pending (3.16.52) [netlink-add-netns-check-on-taps.patch]
+3.2-upstream-stable: N/A "Vulnerable code not present"
 sid: needed
 4.9-stretch-security: needed
 3.16-jessie-security: needed
-3.2-wheezy-security: ignored "Minor issue as user namespaces not supported"
+3.2-wheezy-security: N/A "Vulnerable code not present"

Modified: active/CVE-2017-17450
===================================================================
--- active/CVE-2017-17450	2017-12-19 22:42:16 UTC (rev 5794)
+++ active/CVE-2017-17450	2017-12-19 23:17:42 UTC (rev 5795)
@@ -5,7 +5,7 @@
 Bugs:
 upstream: released (4.15-rc4) [916a27901de01446bcf57ecca4783f6cff493309]
 4.9-upstream-stable: needed
-3.16-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.52) [netfilter-xt_osf-add-missing-permission-checks.patch]
 3.2-upstream-stable: N/A "User namespaces not supported"
 sid: needed
 4.9-stretch-security: needed

Modified: active/CVE-2017-17558
===================================================================
--- active/CVE-2017-17558	2017-12-19 22:42:16 UTC (rev 5794)
+++ active/CVE-2017-17558	2017-12-19 23:17:42 UTC (rev 5795)
@@ -6,9 +6,9 @@
  bwh> This appears to pre-date git history.
 Bugs:
 upstream: released (4.15-rc4) [48a4ff1c7bb5a32d2e396b03132d20d552c0eca7]
-4.9-upstream-stable: needed
-3.16-upstream-stable: needed
-3.2-upstream-stable: needed
+4.9-upstream-stable: pending (4.9.71) [usb-core-prevent-malicious-bnuminterfaces-overflow.patch]
+3.16-upstream-stable: pending (3.16.52) [usb-core-prevent-malicious-bnuminterfaces-overflow.patch]
+3.2-upstream-stable: pending (3.2.97) [usb-core-prevent-malicious-bnuminterfaces-overflow.patch]
 sid: needed
 4.9-stretch-security: needed
 3.16-jessie-security: needed

Modified: active/CVE-2017-8824
===================================================================
--- active/CVE-2017-8824	2017-12-19 22:42:16 UTC (rev 5794)
+++ active/CVE-2017-8824	2017-12-19 23:17:42 UTC (rev 5795)
@@ -6,8 +6,8 @@
 Bugs:
 upstream: released (4.15-rc3) [69c64866ce072dea1d1e59a0d61e0f66c0dffb76]
 4.9-upstream-stable: needed
-3.16-upstream-stable: needed
-3.2-upstream-stable: needed
+3.16-upstream-stable: pending (3.16.52) [dccp-cve-2017-8824-use-after-free-in-dccp-code.patch]
+3.2-upstream-stable: pending (3.2.97) [dccp-cve-2017-8824-use-after-free-in-dccp-code.patch]
 sid: needed
 4.9-stretch-security: needed
 3.16-jessie-security: needed

More information about the kernel-sec-discuss mailing list