Record various issues as already fixed upstream

author: Ben Hutchings <ben@decadent.org.uk> 2024-03-11 00:11:29 +0100
committer: Ben Hutchings <ben@decadent.org.uk> 2024-03-11 00:11:29 +0100
commit: 73dccfc63d792093db024dd1df1e7dfd4682bac2 (patch)
tree: d35990e4681baf180c86d2f44a196d962c17f90a
parent: bbc0d50a98f15c31b7b55b353e25ec274555979c (diff)
9 files changed, 45 insertions, 31 deletions
diff --git a/active/CVE-2023-1192 b/active/CVE-2023-1192
index 8bdbcbb8..1a449827 100644
--- a/active/CVE-2023-1192
+++ b/active/CVE-2023-1192
@@ -14,11 +14,13 @@ Notes:
  carnil> the smb2_is_status_io_timeout() case.
  carnil> But according to Ben this is another issue.
 Bugs:
-upstream: needed
-6.1-upstream-stable: needed
+upstream: released (6.6-rc3) [d527f51331cace562393a8038d870b3e9916686f]
+6.7-upstream-stable: N/A "Fixed before branching point"
+6.6-upstream-stable: N/A "Fixed before branching point"
+6.1-upstream-stable: released (6.1.56) [908b3b5e97d25e879de3d1f172a255665491c2c3]
 5.10-upstream-stable: needed
 4.19-upstream-stable: N/A "Vulnerable code not present"
-sid: needed
-6.1-bookworm-security: needed
+sid: released (6.5.6-1)
+6.1-bookworm-security: released (6.1.64-1)
 5.10-bullseye-security: needed
 4.19-buster-security: N/A "Vulnerable code not present"
diff --git a/active/CVE-2023-2176 b/active/CVE-2023-2176
index 03ae4309..016b82f0 100644
--- a/active/CVE-2023-2176
+++ b/active/CVE-2023-2176
@@ -9,7 +9,7 @@ Notes:
  bwh> and remote IP".
 Bugs:
 upstream: released (6.3-rc1) [8d037973d48c026224ab285e6a06985ccac6f7bf]
-6.1-upstream-stable: needed
+6.1-upstream-stable: released (6.1.81) [88067197e97af3fcb104dd86030f788ec1b32fdb]
 5.10-upstream-stable: N/A "Vulnerability introduced later"
 4.19-upstream-stable: N/A "Vulnerability introduced later"
 sid: released (6.3.7-1)
diff --git a/active/CVE-2023-52572 b/active/CVE-2023-52572
index ea38421c..bfae580c 100644
--- a/active/CVE-2023-52572
+++ b/active/CVE-2023-52572
@@ -3,6 +3,7 @@ References:
 Notes:
  carnil> Introduced in ec637e3ffb6b ("[CIFS] Avoid extra large buffer allocation (and
  carnil> memcpy) in cifs_readpages"). Vulnerable versions: 2.6.16-rc2.
+ bwh> Duplicate of CVE-2023-1192.
 Bugs:
 upstream: released (6.6-rc3) [d527f51331cace562393a8038d870b3e9916686f]
 6.7-upstream-stable: N/A "Fixed before branching point"
diff --git a/active/CVE-2023-6356 b/active/CVE-2023-6356
index 6b346475..2617a7b8 100644
--- a/active/CVE-2023-6356
+++ b/active/CVE-2023-6356
@@ -3,12 +3,17 @@ References:
  https://bugzilla.redhat.com/show_bug.cgi?id=2254054
  https://lore.kernel.org/linux-nvme/CAK5usQupQgYoyav2itYADv2XVooMptqqswW8cTkuoMkRpjapwQ@mail.gmail.com/T/#t
 Notes:
+ bwh> There has never been a nvmet_tcp_build_iovec() function in
+ bwh> nvmet, but I think this is fixed by commit efa56305908b
+ bwh> "nvmet-tcp: Fix a kernel panic when host sends an invalid
+ bwh> H2C PDU length" which mentions nvmet_tcp_build_pdu_iovec().
+ bwh> Fixed as well in 6.6.14 and 6.7.2.
 Bugs:
-upstream:
-6.1-upstream-stable:
-5.10-upstream-stable:
-4.19-upstream-stable:
-sid:
-6.1-bookworm-security:
-5.10-bullseye-security:
-4.19-buster-security:
+upstream: released (6.8-rc1) [efa56305908ba20de2104f1b8508c6a7401833be]
+6.1-upstream-stable: released (6.1.75) [2871aa407007f6f531fae181ad252486e022df42]
+5.10-upstream-stable: released (5.10.209) [f775f2621c2ac5cc3a0b3a64665dad4fb146e510]
+4.19-upstream-stable: needed
+sid: released (6.6.15-1)
+6.1-bookworm-security: released (6.1.76-1)
+5.10-bullseye-security: released (5.10.209-1)
+4.19-buster-security: needed
diff --git a/active/CVE-2023-6536 b/active/CVE-2023-6536
index b85dd1ef..e804453b 100644
--- a/active/CVE-2023-6536
+++ b/active/CVE-2023-6536
@@ -3,12 +3,16 @@ References:
  https://bugzilla.redhat.com/show_bug.cgi?id=2254052
  https://lore.kernel.org/linux-nvme/69e7bbe4-b454-4941-90e2-2e6a4cf0f182@grimberg.me/T/#t
 Notes:
+ bwh> I think this is fixed by commit 0849a5441358 "nvmet-tcp:
+ bwh> fix a crash in nvmet_req_complete()"; that mentions
+ bwh> nvmet_req_complete() which is a thin wrapper for
+ bwh> __nvmet_req_complete()).  Fixed as well in 6.6.14 and 6.7.2.
 Bugs:
-upstream:
-6.1-upstream-stable:
-5.10-upstream-stable:
-4.19-upstream-stable:
-sid:
-6.1-bookworm-security:
-5.10-bullseye-security:
-4.19-buster-security:
+upstream: released (6.8-rc1) [0849a5441358cef02586fb2d60f707c0db195628]
+6.1-upstream-stable: released (6.1.75) [83ccd15717ee2b6143df72df39685f0c832e3451]
+5.10-upstream-stable: released (5.10.209) [39669fae69f302961d89f38d969c6fcc1d07eb02]
+4.19-upstream-stable: needed
+sid: released (6.6.15-1)
+6.1-bookworm-security: released (6.1.76-1)
+5.10-bullseye-security: released (5.10.209-1)
+4.19-buster-security: needed
diff --git a/active/CVE-2024-0565 b/active/CVE-2024-0565
index 48ab314f..7ab48346 100644
--- a/active/CVE-2024-0565
+++ b/active/CVE-2024-0565
@@ -9,7 +9,7 @@ Notes:
 Bugs:
 upstream: released (6.7-rc6) [eec04ea119691e65227a97ce53c0da6b9b74b0b7]
 6.1-upstream-stable: released (6.1.69) [9f528a8e68327117837b5e28b096f52af4c26a05]
-5.10-upstream-stable: needed
+5.10-upstream-stable: released (5.10.211) [b03c8099a738a04d2343547ae6a04e5f0f63d3fa]
 4.19-upstream-stable: needed
 sid: released (6.6.8-1)
 6.1-bookworm-security: released (6.1.69-1)
diff --git a/active/CVE-2024-0841 b/active/CVE-2024-0841
index 1a089c10..1e907906 100644
--- a/active/CVE-2024-0841
+++ b/active/CVE-2024-0841
@@ -5,12 +5,13 @@ References:
 Notes:
  carnil> Commit fixes 32021982a324 ("hugetlbfs: Convert to fs_context")
  carnil> 5.1-rc1.
+ bwh> Fixed also in 6.6.18 and 6.7.6.
 Bugs:
-upstream: needed
-6.1-upstream-stable: needed
-5.10-upstream-stable: needed
+upstream: released (6.8-rc4) [79d72c68c58784a3e1cd2378669d51bfd0cb7498]
+6.1-upstream-stable: released (6.1.79) [2e2c07104b4904aed1389a59b25799b95a85b5b9]
+5.10-upstream-stable: released (5.10.212) [80d852299987a8037be145a94f41874228f1a773]
 4.19-upstream-stable: N/A "Vulnerable code not present"
-sid: needed
+sid: released (6.7.7-1)
 6.1-bookworm-security: needed
 5.10-bullseye-security: needed
 4.19-buster-security: N/A "Vulnerable code not present"
diff --git a/active/CVE-2024-23850 b/active/CVE-2024-23850
index cfb2f68d..477ce026 100644
--- a/active/CVE-2024-23850
+++ b/active/CVE-2024-23850
@@ -6,12 +6,13 @@ Notes:
  carnil> Commit fixes 2dfb1e43f57d ("btrfs: preallocate anon block
  carnil> device at first phase of snapshot creation") in 5.9-rc1 (and
  carnil> backported to 5.8.3)
+ bwh> Fixed as well in 6.6.18 and 6.7.6.
 Bugs:
-upstream: needed
-6.1-upstream-stable: needed
-5.10-upstream-stable: needed
+upstream: released (6.8-rc4) [e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb]
+6.1-upstream-stable: released (6.1.79)
+5.10-upstream-stable: released (5.10.210)
 4.19-upstream-stable: N/A "Vulnerable code not present"
-sid: needed
+sid: released (6.7.7-1)
 6.1-bookworm-security: needed
 5.10-bullseye-security: needed
 4.19-buster-security: N/A "Vulnerable code not present"
diff --git a/active/CVE-2024-23851 b/active/CVE-2024-23851
index 327c875a..da6796be 100644
--- a/active/CVE-2024-23851
+++ b/active/CVE-2024-23851
@@ -9,7 +9,7 @@ upstream: released (6.8-rc3) [bd504bcfec41a503b32054da5472904b404341a4]
 6.1-upstream-stable: released (6.1.79) [c5d83ac2bf6ca668a39ffb1a576899a66153ba19]
 5.10-upstream-stable: released (5.10.210) [a891a0621e725e85529985139cada8cb5a74a116]
 4.19-upstream-stable:
-sid: needed
+sid: released (6.7.7-1)
 6.1-bookworm-security: needed
 5.10-bullseye-security: needed
 4.19-buster-security:
author	Ben Hutchings <ben@decadent.org.uk>	2024-03-11 00:11:29 +0100
committer	Ben Hutchings <ben@decadent.org.uk>	2024-03-11 00:11:29 +0100
commit	73dccfc63d792093db024dd1df1e7dfd4682bac2 (patch)
tree	d35990e4681baf180c86d2f44a196d962c17f90a
parent	bbc0d50a98f15c31b7b55b353e25ec274555979c (diff)