diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2021-03-07 23:25:50 +0100 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2021-03-07 23:25:50 +0100 |
commit | 006f66244481daa1af1e4667fb763317e9e4c9cc (patch) | |
tree | 06e79cb223419bebbc151e2fe7ca53df151e13e8 | |
parent | 50c02c464a7b65e099c40a1ecd715c924e152fb4 (diff) |
Fill in status of various issues
-rw-r--r-- | active/CVE-2020-12363 | 7 | ||||
-rw-r--r-- | active/CVE-2020-12364 | 7 | ||||
-rw-r--r-- | active/CVE-2020-27066 | 20 | ||||
-rw-r--r-- | active/CVE-2020-35501 | 16 | ||||
-rw-r--r-- | active/CVE-2021-0399 | 19 | ||||
-rw-r--r-- | active/CVE-2021-26934 | 4 | ||||
-rw-r--r-- | active/CVE-2021-3348 | 4 |
7 files changed, 44 insertions, 33 deletions
diff --git a/active/CVE-2020-12363 b/active/CVE-2020-12363 index bfd44bb6..33265114 100644 --- a/active/CVE-2020-12363 +++ b/active/CVE-2020-12363 @@ -9,11 +9,12 @@ Notes: carnil> firmware is required. The new firmware requires a kernel patch carnil> https://git.kernel.org/linus/c784e5249e773689e38d2bc1749f08b986621a26 carnil> So might not be treaded as Linux issue itself. + bwh> The advisory says this is only a driver issue. Bugs: -upstream: -5.10-upstream-stable: +upstream: released (5.5) +5.10-upstream-stable: N/A "Fixed before branch point" 4.19-upstream-stable: 4.9-upstream-stable: -sid: +sid: released (5.5.13-1) 4.19-buster-security: 4.9-stretch-security: diff --git a/active/CVE-2020-12364 b/active/CVE-2020-12364 index bfd44bb6..33265114 100644 --- a/active/CVE-2020-12364 +++ b/active/CVE-2020-12364 @@ -9,11 +9,12 @@ Notes: carnil> firmware is required. The new firmware requires a kernel patch carnil> https://git.kernel.org/linus/c784e5249e773689e38d2bc1749f08b986621a26 carnil> So might not be treaded as Linux issue itself. + bwh> The advisory says this is only a driver issue. Bugs: -upstream: -5.10-upstream-stable: +upstream: released (5.5) +5.10-upstream-stable: N/A "Fixed before branch point" 4.19-upstream-stable: 4.9-upstream-stable: -sid: +sid: released (5.5.13-1) 4.19-buster-security: 4.9-stretch-security: diff --git a/active/CVE-2020-27066 b/active/CVE-2020-27066 index 98a675a7..aeac2a02 100644 --- a/active/CVE-2020-27066 +++ b/active/CVE-2020-27066 @@ -16,11 +16,17 @@ Notes: carnil> 5.4.29, 4.19.114, 4.14.175, 4.9.218 and 4.4.218? carnil> Android Security team indicated that this indeed seem a good carnil> candidate. + bwh> Commit 4c59406ed003 fixes double-free of xfrm_policy, but I'm + bwh> not sure how it relates to a use-after-free in xfrm6_tunnel + bwh> (xfrm6_tunnel_free_spi() is called via __xfrm_state_destroy(), + bwh> via xfrm_state_put(), so what calls that?). However I agree + bwh> it is the only commit in that range that could plausibly have + bwh> fixed the issue. Bugs: -upstream: -5.10-upstream-stable: -4.19-upstream-stable: -4.9-upstream-stable: -sid: -4.19-buster-security: -4.9-stretch-security: +upstream: released (5.6) [4c59406ed00379c8663f8663d82b2537467ce9d7] +5.10-upstream-stable: N/A "Fixed before branch point" +4.19-upstream-stable: released (4.19.114) [7ad217a824f7fab1e8534a6dfa82899ae1900bcb] +4.9-upstream-stable: released (4.9.218) [86e98ce7de083649e330d518e98a80b9e39b5d43] +sid: released (5.6.7-1) +4.19-buster-security: released (4.19.118-1) +4.9-stretch-security: released (4.9.228-1) diff --git a/active/CVE-2020-35501 b/active/CVE-2020-35501 index 5dfbd954..4cb83d87 100644 --- a/active/CVE-2020-35501 +++ b/active/CVE-2020-35501 @@ -1,13 +1,13 @@ -Description: Vulnerability in the Linux Audit Framework Auditd +Description: Linux audit framework misses {name_to,open_by}_handle_at() References: https://www.openwall.com/lists/oss-security/2021/02/18/1 https://lore.kernel.org/linux-audit/7230785.EvYhyI6sBW@x2/ Notes: Bugs: -upstream: -5.10-upstream-stable: -4.19-upstream-stable: -4.9-upstream-stable: -sid: -4.19-buster-security: -4.9-stretch-security: +upstream: needed +5.10-upstream-stable: needed +4.19-upstream-stable: needed +4.9-upstream-stable: needed +sid: needed +4.19-buster-security: needed +4.9-stretch-security: needed diff --git a/active/CVE-2021-0399 b/active/CVE-2021-0399 index 813837a6..19fe4b65 100644 --- a/active/CVE-2021-0399 +++ b/active/CVE-2021-0399 @@ -1,15 +1,18 @@ -Description: +Description: Use-after-free in Android xt_qtaguid References: https://source.android.com/security/bulletin/2021-03-01 + https://android.googlesource.com/kernel/common/+/2bd81ced0685922df12f4be3338ea632805624e9 Notes: carnil> Bulletin refers to upstream kernel but unconfirmed. According carnil> to Moritz this is just in Android specific xt_qtaguid code and carnil> so actually not "upstream kernel". + bwh> The bulletin links to source commits which are definitely not + bwh> touching upstream code. Bugs: -upstream: -5.10-upstream-stable: -4.19-upstream-stable: -4.9-upstream-stable: -sid: -4.19-buster-security: -4.9-stretch-security: +upstream: N/A "Vulnerable code not present" +5.10-upstream-stable: N/A "Vulnerable code not present" +4.19-upstream-stable: N/A "Vulnerable code not present" +4.9-upstream-stable: N/A "Vulnerable code not present" +sid: N/A "Vulnerable code not present" +4.19-buster-security: N/A "Vulnerable code not present" +4.9-stretch-security: N/A "Vulnerable code not present" diff --git a/active/CVE-2021-26934 b/active/CVE-2021-26934 index 2f474957..34a2c453 100644 --- a/active/CVE-2021-26934 +++ b/active/CVE-2021-26934 @@ -9,7 +9,7 @@ Bugs: upstream: 5.10-upstream-stable: 4.19-upstream-stable: -4.9-upstream-stable: +4.9-upstream-stable: N/A "Affected code not present" sid: 4.19-buster-security: -4.9-stretch-security: +4.9-stretch-security: N/A "Affected code not present" diff --git a/active/CVE-2021-3348 b/active/CVE-2021-3348 index 35abfe3f..14d00662 100644 --- a/active/CVE-2021-3348 +++ b/active/CVE-2021-3348 @@ -7,7 +7,7 @@ Bugs: upstream: released (5.11-rc6) [b98e762e3d71e893b221f871825dc64694cfb258] 5.10-upstream-stable: released (5.10.13) [41f6f4a3143506ea1499cda2f14a16a2f82118a8] 4.19-upstream-stable: released (4.19.173) [424838c0f727f1d11ce2ccaabba96f4346c03906] -4.9-upstream-stable: +4.9-upstream-stable: N/A "Vulnerable code not present" sid: released (5.10.13-1) 4.19-buster-security: needed -4.9-stretch-security: +4.9-stretch-security: N/A "Vulnerable code not present" |