[kernel-sec-discuss] r5834 - active retired
Salvatore Bonaccorso
carnil at moszumanska.debian.org
Sun Dec 24 07:36:56 UTC 2017
Author: carnil
Date: 2017-12-24 07:36:56 +0000 (Sun, 24 Dec 2017)
New Revision: 5834
Added:
retired/CVE-2017-15126
retired/CVE-2017-15127
retired/CVE-2017-16996
retired/CVE-2017-17852
retired/CVE-2017-17853
retired/CVE-2017-17854
retired/CVE-2017-17855
retired/CVE-2017-17856
retired/CVE-2017-17857
Removed:
active/CVE-2017-15126
active/CVE-2017-15127
active/CVE-2017-16996
active/CVE-2017-17852
active/CVE-2017-17853
active/CVE-2017-17854
active/CVE-2017-17855
active/CVE-2017-17856
active/CVE-2017-17857
Log:
Retire several CVEs
Deleted: active/CVE-2017-15126
===================================================================
--- active/CVE-2017-15126 2017-12-24 07:31:35 UTC (rev 5833)
+++ active/CVE-2017-15126 2017-12-24 07:36:56 UTC (rev 5834)
@@ -1,15 +0,0 @@
-Description: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c
-References:
- https://bugzilla.redhat.com/show_bug.cgi?id=1523481
-Notes:
- bwh> Introduced in 4.11 by commit 893e26e61d04 "userfaultfd: non-cooperative:
- bwh> Add fork() event".
-Bugs:
-upstream: released (4.14-rc4) [384632e67e0829deb8015ee6ad916b180049d252]
-4.9-upstream-stable: N/A "Vulnerable code not present"
-3.16-upstream-stable: N/A "Vulnerable code not present"
-3.2-upstream-stable: N/A "Vulnerable code not present"
-sid: released (4.13.10-1)
-4.9-stretch-security: N/A "Vulnerable code not present"
-3.16-jessie-security: N/A "Vulnerable code not present"
-3.2-wheezy-security: N/A "Vulnerable code not present"
Deleted: active/CVE-2017-15127
===================================================================
--- active/CVE-2017-15127 2017-12-24 07:31:35 UTC (rev 5833)
+++ active/CVE-2017-15127 2017-12-24 07:36:56 UTC (rev 5834)
@@ -1,15 +0,0 @@
-Description: Improper error handling of VM_SHARED hugetlbfs mapping in mm/hugetlb.c
-References:
- https://bugzilla.redhat.com/show_bug.cgi?id=1525218
-Notes:
- bwh> Appears to have been introduced in 4.11 by commit 8fb5debc5fcd "userfaultfd:
- bwh> hugetlbfs: add hugetlb_mcopy_atomic_pte for userfaultfd support".
-Bugs:
-upstream: released (4.13-rc5) [5af10dfd0afc559bb4b0f7e3e8227a1578333995]
-4.9-upstream-stable: N/A "Vulnerable code not present"
-3.16-upstream-stable: N/A "Vulnerable code not present"
-3.2-upstream-stable: N/A "Vulnerable code not present"
-sid: released (4.13.4-1)
-4.9-stretch-security: N/A "Vulnerable code not present"
-3.16-jessie-security: N/A "Vulnerable code not present"
-3.2-wheezy-security: N/A "Vulnerable code not present"
Deleted: active/CVE-2017-16996
===================================================================
--- active/CVE-2017-16996 2017-12-24 07:31:35 UTC (rev 5833)
+++ active/CVE-2017-16996 2017-12-24 07:36:56 UTC (rev 5834)
@@ -1,15 +0,0 @@
-Description: bpf: fix incorrect tracking of register size truncation
-References:
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1454
- http://www.openwall.com/lists/oss-security/2017/12/21/2
-Notes:
- carnil> Introduced in 4.14-rc1 with b03c9f9fdc37dab81ea04d5dacdc5995d4c224c2
-Bugs:
-upstream: released (4.15-rc5) [0c17d1d2c61936401f4702e1846e2c19b200f958]
-4.9-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
-3.16-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
-3.2-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
-sid: released (4.14.7-1) [bugfix/all/bpf-fix-incorrect-tracking-of-register-size-truncati.patch]
-4.9-stretch-security: N/A "Vulnerable code introduced later"
-3.16-jessie-security: N/A "Vulnerable code introduced later"
-3.2-wheezy-security: N/A "Vulnerable code introduced later"
Deleted: active/CVE-2017-17852
===================================================================
--- active/CVE-2017-17852 2017-12-24 07:31:35 UTC (rev 5833)
+++ active/CVE-2017-17852 2017-12-24 07:36:56 UTC (rev 5834)
@@ -1,14 +0,0 @@
-Description: bpf: fix 32-bit ALU op verification
-References:
- http://www.openwall.com/lists/oss-security/2017/12/21/2
-Notes:
- carnil> Introduced with f1174f77b50c94eecaa658fdc56fa69b421de4b8 in v4.14-rc1.
-Bugs:
-upstream: released (4.15-rc5) [468f6eafa6c44cb2c5d8aad35e12f06c240a812a]
-4.9-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
-3.16-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
-3.2-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
-sid: released (4.14.7-1) [bugfix/all/bpf-fix-32-bit-alu-op-verification.patch]
-4.9-stretch-security: N/A "Vulnerable code introduced later"
-3.16-jessie-security: N/A "Vulnerable code introduced later"
-3.2-wheezy-security: N/A "Vulnerable code introduced later"
Deleted: active/CVE-2017-17853
===================================================================
--- active/CVE-2017-17853 2017-12-24 07:31:35 UTC (rev 5833)
+++ active/CVE-2017-17853 2017-12-24 07:36:56 UTC (rev 5834)
@@ -1,14 +0,0 @@
-Description: bpf/verifier: fix bounds calculation on BPF_RSH
-References:
- http://www.openwall.com/lists/oss-security/2017/12/21/2
-Notes:
- carnil> Introduced by b03c9f9fdc37dab81ea04d5dacdc5995d4c224c2 in 4.14-rc1
-Bugs:
-upstream: released (4.15-rc5) [4374f256ce8182019353c0c639bb8d0695b4c941]
-4.9-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
-3.16-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
-3.2-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
-sid: released (4.14.7-1) [/bugfix/all/bpf-verifier-fix-bounds-calculation-on-bpf_rsh.patch]
-4.9-stretch-security: N/A "Vulnerable code not present"
-3.16-jessie-security: N/A "Vulnerable code not present"
-3.2-wheezy-security: N/A "Vulnerable code not present"
Deleted: active/CVE-2017-17854
===================================================================
--- active/CVE-2017-17854 2017-12-24 07:31:35 UTC (rev 5833)
+++ active/CVE-2017-17854 2017-12-24 07:36:56 UTC (rev 5834)
@@ -1,14 +0,0 @@
-Description: bpf: fix integer overflows
-References:
- http://www.openwall.com/lists/oss-security/2017/12/21/2
-Notes:
- carnil> Introduced by f1174f77b50c94eecaa658fdc56fa69b421de4b8 in 4.14-rc1
-Bugs:
-upstream: released (4.15-rc5) [bb7f0f989ca7de1153bd128a40a71709e339fa03]
-4.9-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
-3.16-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
-3.2-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
-sid: released (4.14.7-1) [bugfix/all/bpf-fix-integer-overflows.patch]
-4.9-stretch-security: N/A "Vulnerable code not present"
-3.16-jessie-security: N/A "Vulnerable code not present"
-3.2-wheezy-security: N/A "Vulnerable code not present"
Deleted: active/CVE-2017-17855
===================================================================
--- active/CVE-2017-17855 2017-12-24 07:31:35 UTC (rev 5833)
+++ active/CVE-2017-17855 2017-12-24 07:36:56 UTC (rev 5834)
@@ -1,14 +0,0 @@
-Description: bpf: don't prune branches when a scalar is replaced with a pointer
-References:
- http://www.openwall.com/lists/oss-security/2017/12/21/2
-Notes:
- carnil> Introduced in f1174f77b50c94eecaa658fdc56fa69b421de4b8 in 4.14-rc1
-Bugs:
-upstream: released (4.15-rc5) [179d1c5602997fef5a940c6ddcf31212cbfebd14]
-4.9-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
-3.16-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
-3.2-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
-sid: released (4.14.7-1) [bugfix/all/bpf-don-t-prune-branches-when-a-scalar-is-replaced-w.patch]
-4.9-stretch-security: N/A "Vulnerable code not present"
-3.16-jessie-security: N/A "Vulnerable code not present"
-3.2-wheezy-security: N/A "Vulnerable code not present"
Deleted: active/CVE-2017-17856
===================================================================
--- active/CVE-2017-17856 2017-12-24 07:31:35 UTC (rev 5833)
+++ active/CVE-2017-17856 2017-12-24 07:36:56 UTC (rev 5834)
@@ -1,14 +0,0 @@
-Description: bpf: force strict alignment checks for stack pointers
-References:
- http://www.openwall.com/lists/oss-security/2017/12/21/2
-Notes:
- carnil> Introduced by f1174f77b50c94eecaa658fdc56fa69b421de4b8 in 4.14-rc1
-Bugs:
-upstream: released (4.15-rc5) [a5ec6ae161d72f01411169a938fa5f8baea16e8f]
-4.9-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
-3.16-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
-3.2-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
-sid: released (4.14.7-1) [bugfix/all/bpf-force-strict-alignment-checks-for-stack-pointers.patch]
-4.9-stretch-security: N/A "Vulnerable code not present"
-3.16-jessie-security: N/A "Vulnerable code not present"
-3.2-wheezy-security: N/A "Vulnerable code not present"
Deleted: active/CVE-2017-17857
===================================================================
--- active/CVE-2017-17857 2017-12-24 07:31:35 UTC (rev 5833)
+++ active/CVE-2017-17857 2017-12-24 07:36:56 UTC (rev 5834)
@@ -1,14 +0,0 @@
-Description: bpf: fix missing error return in check_stack_boundary()
-References:
- http://www.openwall.com/lists/oss-security/2017/12/21/2
-Notes:
- carnil> Introduced by f1174f77b50c94eecaa658fdc56fa69b421de4b8 in 4.14-rc1
-Bugs:
-upstream: released (4.15-rc5) [ea25f914dc164c8d56b36147ecc86bc65f83c469]
-4.9-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
-3.16-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
-3.2-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
-sid: released (4.14.7-1) [bugfix/all/bpf-fix-missing-error-return-in-check_stack_boundary.patch]
-4.9-stretch-security: N/A "Vulnerable code not present"
-3.16-jessie-security: N/A "Vulnerable code not present"
-3.2-wheezy-security: N/A "Vulnerable code not present"
Copied: retired/CVE-2017-15126 (from rev 5833, active/CVE-2017-15126)
===================================================================
--- retired/CVE-2017-15126 (rev 0)
+++ retired/CVE-2017-15126 2017-12-24 07:36:56 UTC (rev 5834)
@@ -0,0 +1,15 @@
+Description: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1523481
+Notes:
+ bwh> Introduced in 4.11 by commit 893e26e61d04 "userfaultfd: non-cooperative:
+ bwh> Add fork() event".
+Bugs:
+upstream: released (4.14-rc4) [384632e67e0829deb8015ee6ad916b180049d252]
+4.9-upstream-stable: N/A "Vulnerable code not present"
+3.16-upstream-stable: N/A "Vulnerable code not present"
+3.2-upstream-stable: N/A "Vulnerable code not present"
+sid: released (4.13.10-1)
+4.9-stretch-security: N/A "Vulnerable code not present"
+3.16-jessie-security: N/A "Vulnerable code not present"
+3.2-wheezy-security: N/A "Vulnerable code not present"
Copied: retired/CVE-2017-15127 (from rev 5833, active/CVE-2017-15127)
===================================================================
--- retired/CVE-2017-15127 (rev 0)
+++ retired/CVE-2017-15127 2017-12-24 07:36:56 UTC (rev 5834)
@@ -0,0 +1,15 @@
+Description: Improper error handling of VM_SHARED hugetlbfs mapping in mm/hugetlb.c
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1525218
+Notes:
+ bwh> Appears to have been introduced in 4.11 by commit 8fb5debc5fcd "userfaultfd:
+ bwh> hugetlbfs: add hugetlb_mcopy_atomic_pte for userfaultfd support".
+Bugs:
+upstream: released (4.13-rc5) [5af10dfd0afc559bb4b0f7e3e8227a1578333995]
+4.9-upstream-stable: N/A "Vulnerable code not present"
+3.16-upstream-stable: N/A "Vulnerable code not present"
+3.2-upstream-stable: N/A "Vulnerable code not present"
+sid: released (4.13.4-1)
+4.9-stretch-security: N/A "Vulnerable code not present"
+3.16-jessie-security: N/A "Vulnerable code not present"
+3.2-wheezy-security: N/A "Vulnerable code not present"
Copied: retired/CVE-2017-16996 (from rev 5833, active/CVE-2017-16996)
===================================================================
--- retired/CVE-2017-16996 (rev 0)
+++ retired/CVE-2017-16996 2017-12-24 07:36:56 UTC (rev 5834)
@@ -0,0 +1,15 @@
+Description: bpf: fix incorrect tracking of register size truncation
+References:
+ https://bugs.chromium.org/p/project-zero/issues/detail?id=1454
+ http://www.openwall.com/lists/oss-security/2017/12/21/2
+Notes:
+ carnil> Introduced in 4.14-rc1 with b03c9f9fdc37dab81ea04d5dacdc5995d4c224c2
+Bugs:
+upstream: released (4.15-rc5) [0c17d1d2c61936401f4702e1846e2c19b200f958]
+4.9-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
+3.16-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
+3.2-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
+sid: released (4.14.7-1) [bugfix/all/bpf-fix-incorrect-tracking-of-register-size-truncati.patch]
+4.9-stretch-security: N/A "Vulnerable code introduced later"
+3.16-jessie-security: N/A "Vulnerable code introduced later"
+3.2-wheezy-security: N/A "Vulnerable code introduced later"
Copied: retired/CVE-2017-17852 (from rev 5833, active/CVE-2017-17852)
===================================================================
--- retired/CVE-2017-17852 (rev 0)
+++ retired/CVE-2017-17852 2017-12-24 07:36:56 UTC (rev 5834)
@@ -0,0 +1,14 @@
+Description: bpf: fix 32-bit ALU op verification
+References:
+ http://www.openwall.com/lists/oss-security/2017/12/21/2
+Notes:
+ carnil> Introduced with f1174f77b50c94eecaa658fdc56fa69b421de4b8 in v4.14-rc1.
+Bugs:
+upstream: released (4.15-rc5) [468f6eafa6c44cb2c5d8aad35e12f06c240a812a]
+4.9-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
+3.16-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
+3.2-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
+sid: released (4.14.7-1) [bugfix/all/bpf-fix-32-bit-alu-op-verification.patch]
+4.9-stretch-security: N/A "Vulnerable code introduced later"
+3.16-jessie-security: N/A "Vulnerable code introduced later"
+3.2-wheezy-security: N/A "Vulnerable code introduced later"
Copied: retired/CVE-2017-17853 (from rev 5833, active/CVE-2017-17853)
===================================================================
--- retired/CVE-2017-17853 (rev 0)
+++ retired/CVE-2017-17853 2017-12-24 07:36:56 UTC (rev 5834)
@@ -0,0 +1,14 @@
+Description: bpf/verifier: fix bounds calculation on BPF_RSH
+References:
+ http://www.openwall.com/lists/oss-security/2017/12/21/2
+Notes:
+ carnil> Introduced by b03c9f9fdc37dab81ea04d5dacdc5995d4c224c2 in 4.14-rc1
+Bugs:
+upstream: released (4.15-rc5) [4374f256ce8182019353c0c639bb8d0695b4c941]
+4.9-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
+3.16-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
+3.2-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
+sid: released (4.14.7-1) [/bugfix/all/bpf-verifier-fix-bounds-calculation-on-bpf_rsh.patch]
+4.9-stretch-security: N/A "Vulnerable code not present"
+3.16-jessie-security: N/A "Vulnerable code not present"
+3.2-wheezy-security: N/A "Vulnerable code not present"
Copied: retired/CVE-2017-17854 (from rev 5833, active/CVE-2017-17854)
===================================================================
--- retired/CVE-2017-17854 (rev 0)
+++ retired/CVE-2017-17854 2017-12-24 07:36:56 UTC (rev 5834)
@@ -0,0 +1,14 @@
+Description: bpf: fix integer overflows
+References:
+ http://www.openwall.com/lists/oss-security/2017/12/21/2
+Notes:
+ carnil> Introduced by f1174f77b50c94eecaa658fdc56fa69b421de4b8 in 4.14-rc1
+Bugs:
+upstream: released (4.15-rc5) [bb7f0f989ca7de1153bd128a40a71709e339fa03]
+4.9-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
+3.16-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
+3.2-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
+sid: released (4.14.7-1) [bugfix/all/bpf-fix-integer-overflows.patch]
+4.9-stretch-security: N/A "Vulnerable code not present"
+3.16-jessie-security: N/A "Vulnerable code not present"
+3.2-wheezy-security: N/A "Vulnerable code not present"
Copied: retired/CVE-2017-17855 (from rev 5833, active/CVE-2017-17855)
===================================================================
--- retired/CVE-2017-17855 (rev 0)
+++ retired/CVE-2017-17855 2017-12-24 07:36:56 UTC (rev 5834)
@@ -0,0 +1,14 @@
+Description: bpf: don't prune branches when a scalar is replaced with a pointer
+References:
+ http://www.openwall.com/lists/oss-security/2017/12/21/2
+Notes:
+ carnil> Introduced in f1174f77b50c94eecaa658fdc56fa69b421de4b8 in 4.14-rc1
+Bugs:
+upstream: released (4.15-rc5) [179d1c5602997fef5a940c6ddcf31212cbfebd14]
+4.9-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
+3.16-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
+3.2-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
+sid: released (4.14.7-1) [bugfix/all/bpf-don-t-prune-branches-when-a-scalar-is-replaced-w.patch]
+4.9-stretch-security: N/A "Vulnerable code not present"
+3.16-jessie-security: N/A "Vulnerable code not present"
+3.2-wheezy-security: N/A "Vulnerable code not present"
Copied: retired/CVE-2017-17856 (from rev 5833, active/CVE-2017-17856)
===================================================================
--- retired/CVE-2017-17856 (rev 0)
+++ retired/CVE-2017-17856 2017-12-24 07:36:56 UTC (rev 5834)
@@ -0,0 +1,14 @@
+Description: bpf: force strict alignment checks for stack pointers
+References:
+ http://www.openwall.com/lists/oss-security/2017/12/21/2
+Notes:
+ carnil> Introduced by f1174f77b50c94eecaa658fdc56fa69b421de4b8 in 4.14-rc1
+Bugs:
+upstream: released (4.15-rc5) [a5ec6ae161d72f01411169a938fa5f8baea16e8f]
+4.9-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
+3.16-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
+3.2-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
+sid: released (4.14.7-1) [bugfix/all/bpf-force-strict-alignment-checks-for-stack-pointers.patch]
+4.9-stretch-security: N/A "Vulnerable code not present"
+3.16-jessie-security: N/A "Vulnerable code not present"
+3.2-wheezy-security: N/A "Vulnerable code not present"
Copied: retired/CVE-2017-17857 (from rev 5833, active/CVE-2017-17857)
===================================================================
--- retired/CVE-2017-17857 (rev 0)
+++ retired/CVE-2017-17857 2017-12-24 07:36:56 UTC (rev 5834)
@@ -0,0 +1,14 @@
+Description: bpf: fix missing error return in check_stack_boundary()
+References:
+ http://www.openwall.com/lists/oss-security/2017/12/21/2
+Notes:
+ carnil> Introduced by f1174f77b50c94eecaa658fdc56fa69b421de4b8 in 4.14-rc1
+Bugs:
+upstream: released (4.15-rc5) [ea25f914dc164c8d56b36147ecc86bc65f83c469]
+4.9-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
+3.16-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
+3.2-upstream-stable: N/A "Vulnerable code introduced in 4.14-rc1"
+sid: released (4.14.7-1) [bugfix/all/bpf-fix-missing-error-return-in-check_stack_boundary.patch]
+4.9-stretch-security: N/A "Vulnerable code not present"
+3.16-jessie-security: N/A "Vulnerable code not present"
+3.2-wheezy-security: N/A "Vulnerable code not present"
More information about the kernel-sec-discuss
mailing list