Fill in status of various issues

7 files changed, 44 insertions, 33 deletions

diff --git a/active/CVE-2020-12363 b/active/CVE-2020-12363
index bfd44bb6..33265114 100644
--- a/active/CVE-2020-12363
+++ b/active/CVE-2020-12363
@@ -9,11 +9,12 @@ Notes:
  carnil> firmware is required. The new firmware requires a kernel patch
  carnil> https://git.kernel.org/linus/c784e5249e773689e38d2bc1749f08b986621a26
  carnil> So might not be treaded as Linux issue itself.
+ bwh> The advisory says this is only a driver issue.
 Bugs:
-upstream:
-5.10-upstream-stable:
+upstream: released (5.5)
+5.10-upstream-stable: N/A "Fixed before branch point"
 4.19-upstream-stable:
 4.9-upstream-stable:
-sid:
+sid: released (5.5.13-1)
 4.19-buster-security:
 4.9-stretch-security:
diff --git a/active/CVE-2020-12364 b/active/CVE-2020-12364
index bfd44bb6..33265114 100644
--- a/active/CVE-2020-12364
+++ b/active/CVE-2020-12364
@@ -9,11 +9,12 @@ Notes:
  carnil> firmware is required. The new firmware requires a kernel patch
  carnil> https://git.kernel.org/linus/c784e5249e773689e38d2bc1749f08b986621a26
  carnil> So might not be treaded as Linux issue itself.
+ bwh> The advisory says this is only a driver issue.
 Bugs:
-upstream:
-5.10-upstream-stable:
+upstream: released (5.5)
+5.10-upstream-stable: N/A "Fixed before branch point"
 4.19-upstream-stable:
 4.9-upstream-stable:
-sid:
+sid: released (5.5.13-1)
 4.19-buster-security:
 4.9-stretch-security:
diff --git a/active/CVE-2020-27066 b/active/CVE-2020-27066
index 98a675a7..aeac2a02 100644
--- a/active/CVE-2020-27066
+++ b/active/CVE-2020-27066
@@ -16,11 +16,17 @@ Notes:
  carnil> 5.4.29, 4.19.114, 4.14.175, 4.9.218 and 4.4.218?
  carnil> Android Security team indicated that this indeed seem a good
  carnil> candidate.
+ bwh> Commit 4c59406ed003 fixes double-free of xfrm_policy, but I'm
+ bwh> not sure how it relates to a use-after-free in xfrm6_tunnel
+ bwh> (xfrm6_tunnel_free_spi() is called via __xfrm_state_destroy(),
+ bwh> via xfrm_state_put(), so what calls that?).  However I agree
+ bwh> it is the only commit in that range that could plausibly have
+ bwh> fixed the issue.
 Bugs:
-upstream:
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
-sid:
-4.19-buster-security:
-4.9-stretch-security:
+upstream: released (5.6) [4c59406ed00379c8663f8663d82b2537467ce9d7]
+5.10-upstream-stable: N/A "Fixed before branch point"
+4.19-upstream-stable: released (4.19.114) [7ad217a824f7fab1e8534a6dfa82899ae1900bcb]
+4.9-upstream-stable: released (4.9.218) [86e98ce7de083649e330d518e98a80b9e39b5d43]
+sid: released (5.6.7-1)
+4.19-buster-security: released (4.19.118-1)
+4.9-stretch-security: released (4.9.228-1)
diff --git a/active/CVE-2020-35501 b/active/CVE-2020-35501
index 5dfbd954..4cb83d87 100644
--- a/active/CVE-2020-35501
+++ b/active/CVE-2020-35501
@@ -1,13 +1,13 @@
-Description: Vulnerability in the Linux Audit Framework Auditd
+Description: Linux audit framework misses {name_to,open_by}_handle_at()
 References:
  https://www.openwall.com/lists/oss-security/2021/02/18/1
  https://lore.kernel.org/linux-audit/7230785.EvYhyI6sBW@x2/
 Notes:
 Bugs:
-upstream:
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
-sid:
-4.19-buster-security:
-4.9-stretch-security:
+upstream: needed
+5.10-upstream-stable: needed
+4.19-upstream-stable: needed
+4.9-upstream-stable: needed
+sid: needed
+4.19-buster-security: needed
+4.9-stretch-security: needed
diff --git a/active/CVE-2021-0399 b/active/CVE-2021-0399
index 813837a6..19fe4b65 100644
--- a/active/CVE-2021-0399
+++ b/active/CVE-2021-0399
@@ -1,15 +1,18 @@
-Description:
+Description: Use-after-free in Android xt_qtaguid
 References:
  https://source.android.com/security/bulletin/2021-03-01
+ https://android.googlesource.com/kernel/common/+/2bd81ced0685922df12f4be3338ea632805624e9
 Notes:
  carnil> Bulletin refers to upstream kernel but unconfirmed. According
  carnil> to Moritz this is just in Android specific xt_qtaguid code and
  carnil> so actually not "upstream kernel".
+ bwh> The bulletin links to source commits which are definitely not
+ bwh> touching upstream code.
 Bugs:
-upstream:
-5.10-upstream-stable:
-4.19-upstream-stable:
-4.9-upstream-stable:
-sid:
-4.19-buster-security:
-4.9-stretch-security:
+upstream: N/A "Vulnerable code not present"
+5.10-upstream-stable: N/A "Vulnerable code not present"
+4.19-upstream-stable: N/A "Vulnerable code not present"
+4.9-upstream-stable: N/A "Vulnerable code not present"
+sid: N/A "Vulnerable code not present"
+4.19-buster-security: N/A "Vulnerable code not present"
+4.9-stretch-security: N/A "Vulnerable code not present"
diff --git a/active/CVE-2021-26934 b/active/CVE-2021-26934
index 2f474957..34a2c453 100644
--- a/active/CVE-2021-26934
+++ b/active/CVE-2021-26934
@@ -9,7 +9,7 @@ Bugs:
 upstream:
 5.10-upstream-stable:
 4.19-upstream-stable:
-4.9-upstream-stable:
+4.9-upstream-stable: N/A "Affected code not present"
 sid:
 4.19-buster-security:
-4.9-stretch-security:
+4.9-stretch-security: N/A "Affected code not present"
diff --git a/active/CVE-2021-3348 b/active/CVE-2021-3348
index 35abfe3f..14d00662 100644
--- a/active/CVE-2021-3348
+++ b/active/CVE-2021-3348
@@ -7,7 +7,7 @@ Bugs:
 upstream: released (5.11-rc6) [b98e762e3d71e893b221f871825dc64694cfb258]
 5.10-upstream-stable: released (5.10.13) [41f6f4a3143506ea1499cda2f14a16a2f82118a8]
 4.19-upstream-stable: released (4.19.173) [424838c0f727f1d11ce2ccaabba96f4346c03906]
-4.9-upstream-stable:
+4.9-upstream-stable: N/A "Vulnerable code not present"
 sid: released (5.10.13-1)
 4.19-buster-security: needed
-4.9-stretch-security:
+4.9-stretch-security: N/A "Vulnerable code not present"