[kernel-sec-discuss] r5529 - active retired

Ben Hutchings benh at moszumanska.debian.org
Thu Sep 7 15:58:18 UTC 2017 

Author: benh
Date: 2017-09-07 15:58:17 +0000 (Thu, 07 Sep 2017)
New Revision: 5529

Added:
   retired/CVE-2017-13693
   retired/CVE-2017-13694
   retired/CVE-2017-13695
Removed:
   active/CVE-2017-13693
   active/CVE-2017-13694
   active/CVE-2017-13695
Modified:
   active/CVE-2017-14106
   active/CVE-2017-14140
   active/CVE-2017-14156
   active/CVE-2017-7558
Log:
Fill in missing status fields and retire non-isues

Deleted: active/CVE-2017-13693
===================================================================
--- active/CVE-2017-13693	2017-09-07 07:54:30 UTC (rev 5528)
+++ active/CVE-2017-13693	2017-09-07 15:58:17 UTC (rev 5529)
@@ -1,13 +0,0 @@
-Description:
-References:
- https://patchwork.kernel.org/patch/9919053/
-Notes:
-Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:

Deleted: active/CVE-2017-13694
===================================================================
--- active/CVE-2017-13694	2017-09-07 07:54:30 UTC (rev 5528)
+++ active/CVE-2017-13694	2017-09-07 15:58:17 UTC (rev 5529)
@@ -1,13 +0,0 @@
-Description:
-References:
- https://patchwork.kernel.org/patch/9806085/
-Notes:
-Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:

Deleted: active/CVE-2017-13695
===================================================================
--- active/CVE-2017-13695	2017-09-07 07:54:30 UTC (rev 5528)
+++ active/CVE-2017-13695	2017-09-07 15:58:17 UTC (rev 5529)
@@ -1,13 +0,0 @@
-Description:
-References:
- https://patchwork.kernel.org/patch/9850567/
-Notes:
-Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:

Modified: active/CVE-2017-14106
===================================================================
--- active/CVE-2017-14106	2017-09-07 07:54:30 UTC (rev 5528)
+++ active/CVE-2017-14106	2017-09-07 15:58:17 UTC (rev 5529)
@@ -2,12 +2,14 @@
 References:
  https://groups.google.com/forum/#!topic/syzkaller/e4SrsEBEziQ
 Notes:
+ bwh> This might not be possible in earlier versions, but it does look
+ bwh> plausible and the fix should have no effect if it's not possible.
 Bugs:
 upstream: released (4.12-rc3) [499350a5a6e7512d9ed369ed63a4244b6536f4f8]
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
+4.9-upstream-stable: needed
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
 sid: released (4.12.6-1)
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+4.9-stretch-security: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: needed

Modified: active/CVE-2017-14140
===================================================================
--- active/CVE-2017-14140	2017-09-07 07:54:30 UTC (rev 5528)
+++ active/CVE-2017-14140	2017-09-07 15:58:17 UTC (rev 5529)
@@ -4,9 +4,9 @@
 Bugs:
 upstream: released (4.13-rc6) [197e7e521384a23b9e585178f3f11c9fa08274b9]
 4.9-upstream-stable: released (4.9.45) [61332dc598c3f223678b2d7192ccf3472c544799]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
 sid: pending (4.12.10-1)
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+4.9-stretch-security: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: needed

Modified: active/CVE-2017-14156
===================================================================
--- active/CVE-2017-14156	2017-09-07 07:54:30 UTC (rev 5528)
+++ active/CVE-2017-14156	2017-09-07 15:58:17 UTC (rev 5529)
@@ -5,11 +5,11 @@
  https://marc.info/?l=linux-kernel&m=150453196710422&w=2
 Notes:
 Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+upstream: needed
+4.9-upstream-stable: needed
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
+sid: needed
+4.9-stretch-security: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: needed

Modified: active/CVE-2017-7558
===================================================================
--- active/CVE-2017-7558	2017-09-07 07:54:30 UTC (rev 5528)
+++ active/CVE-2017-7558	2017-09-07 15:58:17 UTC (rev 5529)
@@ -6,13 +6,14 @@
  carnil> proposed patch in https://marc.info/?l=linux-netdev&m=150348777122761&w=2
  carnil> the bug is said to be present from 4.7-rc1 on wards, but needs to be
  carnil> checked if we have otherwise backport the issue
+ bwh> The sctp_diag code was added in 4.7 and we did not backport it.
 Bugs:
  https://bugzilla.redhat.com/show_bug.cgi?id=1480266
 upstream: released (4.13) [ee6c88bb754e3d363e568da78086adfedb692447]
 4.9-upstream-stable: needed
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: N/A "Vulnerable code not present"
+3.2-upstream-stable: N/A "Vulnerable code not present"
 sid: needed
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+4.9-stretch-security: needed
+3.16-jessie-security: N/A "Vulnerable code not present"
+3.2-wheezy-security: N/A "Vulnerable code not present"

Copied: retired/CVE-2017-13693 (from rev 5528, active/CVE-2017-13693)
===================================================================
--- retired/CVE-2017-13693	                        (rev 0)
+++ retired/CVE-2017-13693	2017-09-07 15:58:17 UTC (rev 5529)
@@ -0,0 +1,15 @@
+Description: Invalid ACPI table triggers warning
+References:
+ https://patchwork.kernel.org/patch/9919053/
+Notes:
+ bwh> This is not a security issue, since ACPI tables must already be
+ bwh> trusted.
+Bugs:
+upstream: ignored "Not a security issue"
+4.9-upstream-stable: ignored "Not a security issue"
+3.16-upstream-stable: ignored "Not a security issue"
+3.2-upstream-stable: ignored "Not a security issue"
+sid: ignored "Not a security issue"
+4.9-stretch-security: ignored "Not a security issue"
+3.16-jessie-security: ignored "Not a security issue"
+3.2-wheezy-security: ignored "Not a security issue"

Copied: retired/CVE-2017-13694 (from rev 5528, active/CVE-2017-13694)
===================================================================
--- retired/CVE-2017-13694	                        (rev 0)
+++ retired/CVE-2017-13694	2017-09-07 15:58:17 UTC (rev 5529)
@@ -0,0 +1,15 @@
+Description: Invalid ACPI table triggers warning
+References:
+ https://patchwork.kernel.org/patch/9806085/
+Notes:
+ bwh> This is not a security issue, since ACPI tables must already be
+ bwh> trusted.
+Bugs:
+upstream: ignored "Not a security issue"
+4.9-upstream-stable: ignored "Not a security issue"
+3.16-upstream-stable: ignored "Not a security issue"
+3.2-upstream-stable: ignored "Not a security issue"
+sid: ignored "Not a security issue"
+4.9-stretch-security: ignored "Not a security issue"
+3.16-jessie-security: ignored "Not a security issue"
+3.2-wheezy-security: ignored "Not a security issue"

Copied: retired/CVE-2017-13695 (from rev 5528, active/CVE-2017-13695)
===================================================================
--- retired/CVE-2017-13695	                        (rev 0)
+++ retired/CVE-2017-13695	2017-09-07 15:58:17 UTC (rev 5529)
@@ -0,0 +1,15 @@
+Description: Invalid ACPI table triggers warning
+References:
+ https://patchwork.kernel.org/patch/9850567/
+Notes:
+ bwh> This is not a security issue, since ACPI tables must already be
+ bwh> trusted.
+Bugs:
+upstream: ignored "Not a security issue"
+4.9-upstream-stable: ignored "Not a security issue"
+3.16-upstream-stable: ignored "Not a security issue"
+3.2-upstream-stable: ignored "Not a security issue"
+sid: ignored "Not a security issue"
+4.9-stretch-security: ignored "Not a security issue"
+3.16-jessie-security: ignored "Not a security issue"
+3.2-wheezy-security: ignored "Not a security issue"

More information about the kernel-sec-discuss mailing list