Ignore eBPF information leaks in stretch

author: Ben Hutchings <ben@decadent.org.uk> 2022-05-15 21:22:51 +0200
committer: Ben Hutchings <ben@decadent.org.uk> 2022-05-15 21:25:05 +0200
commit: d082da7610901f6e5718151a1cc52b7e89e5491d (patch)
tree: 6caf95b53c7309c37f79abfb87fc74cc4402d956
parent: 95642170dc992fb38a4a17f1af746df78deea5b0 (diff)
4 files changed, 16 insertions, 4 deletions
diff --git a/active/CVE-2021-33624 b/active/CVE-2021-33624
index 0cbf2373..37e4a36d 100644
--- a/active/CVE-2021-33624
+++ b/active/CVE-2021-33624
@@ -6,6 +6,9 @@ Notes:
  carnil> mispredicted branches") is the main part of the fixes.
  carnil> The selftest fixes commit was included in later release as well
  carnil> in 5.10.57 but the CVE fixes covered already in 5.10.46.
+ bwh> I think this can be ignored. Privileged users can generally read
+ bwh> kernel memory through kprobes/tracepoints. Unprivileged use of
+ bwh> eBPF is now disabled by default in all Debian suites.
 Bugs:
 upstream: released (5.13-rc7) [d203b0fd863a2261e5d00b97f3d060c4c2a6db71, fe9a5ca7e370e613a9a75a13008a3845ea759d6e, 9183671af6dbf60a1219371d4ed73e23f43b49db, 973377ffe8148180b2651825b92ae91988141b05]
 5.10-upstream-stable: released (5.10.46) [e9d271731d21647f8f9e9a261582cf47b868589a, 8c82c52d1de931532200b447df8b4fc92129cfd9, 5fc6ed1831ca5a30fb0ceefd5e33c7c689e7627b], (5.10.57) [30ea1c535291e88e41413464277fcf98a95cf8c6]
@@ -14,4 +17,4 @@ upstream: released (5.13-rc7) [d203b0fd863a2261e5d00b97f3d060c4c2a6db71, fe9a5ca
 sid: released (5.10.46-1)
 5.10-bullseye-security: N/A "Fixed before branching point"
 4.19-buster-security: released (4.19.208-1)
-4.9-stretch-security: needed
+4.9-stretch-security: ignored "Too risky to backport, and mitigated by default"
diff --git a/active/CVE-2021-34556 b/active/CVE-2021-34556
index 7945edc4..cb6a8f3b 100644
--- a/active/CVE-2021-34556
+++ b/active/CVE-2021-34556
@@ -3,6 +3,9 @@ References:
  https://www.openwall.com/lists/oss-security/2021/08/01/3
  https://lore.kernel.org/stable/20210913153537.2162465-1-ovidiu.panait@windriver.com/
 Notes:
+ bwh> I think this can be ignored. Privileged users can generally read
+ bwh> kernel memory through kprobes/tracepoints. Unprivileged use of
+ bwh> eBPF is now disabled by default in all Debian suites.
 Bugs:
 upstream: released (5.14-rc4) [f5e81d1117501546b7be050c5fbafa6efd2c722c, 2039f26f3aca5b0e419b98f65dd36481337b86ee]
 5.10-upstream-stable: released (5.10.56) [bea9e2fd180892eba2574711b05b794f1d0e7b73, 0e9280654aa482088ee6ef3deadef331f5ac5fb0]
@@ -11,4 +14,4 @@ upstream: released (5.14-rc4) [f5e81d1117501546b7be050c5fbafa6efd2c722c, 2039f26
 sid: released (5.10.46-4) [bugfix/all/bpf-introduce-bpf-nospec-instruction-for-mitigating-.patch, bugfix/all/bpf-fix-leakage-due-to-insufficient-speculative-stor.patch]
 5.10-bullseye-security: N/A "Fixed before branching point"
 4.19-buster-security: released (4.19.208-1)
-4.9-stretch-security: needed
+4.9-stretch-security: ignored "Too risky to backport, and mitigated by default"
diff --git a/active/CVE-2021-35477 b/active/CVE-2021-35477
index 7945edc4..cb6a8f3b 100644
--- a/active/CVE-2021-35477
+++ b/active/CVE-2021-35477
@@ -3,6 +3,9 @@ References:
  https://www.openwall.com/lists/oss-security/2021/08/01/3
  https://lore.kernel.org/stable/20210913153537.2162465-1-ovidiu.panait@windriver.com/
 Notes:
+ bwh> I think this can be ignored. Privileged users can generally read
+ bwh> kernel memory through kprobes/tracepoints. Unprivileged use of
+ bwh> eBPF is now disabled by default in all Debian suites.
 Bugs:
 upstream: released (5.14-rc4) [f5e81d1117501546b7be050c5fbafa6efd2c722c, 2039f26f3aca5b0e419b98f65dd36481337b86ee]
 5.10-upstream-stable: released (5.10.56) [bea9e2fd180892eba2574711b05b794f1d0e7b73, 0e9280654aa482088ee6ef3deadef331f5ac5fb0]
@@ -11,4 +14,4 @@ upstream: released (5.14-rc4) [f5e81d1117501546b7be050c5fbafa6efd2c722c, 2039f26
 sid: released (5.10.46-4) [bugfix/all/bpf-introduce-bpf-nospec-instruction-for-mitigating-.patch, bugfix/all/bpf-fix-leakage-due-to-insufficient-speculative-stor.patch]
 5.10-bullseye-security: N/A "Fixed before branching point"
 4.19-buster-security: released (4.19.208-1)
-4.9-stretch-security: needed
+4.9-stretch-security: ignored "Too risky to backport, and mitigated by default"
diff --git a/active/CVE-2021-4159 b/active/CVE-2021-4159
index c387aff0..01654cb3 100644
--- a/active/CVE-2021-4159
+++ b/active/CVE-2021-4159
@@ -3,6 +3,9 @@ References:
  https://bugzilla.suse.com/show_bug.cgi?id=1194227
  https://bugzilla.redhat.com/show_bug.cgi?id=2036024
 Notes:
+ bwh> I think this can be ignored. Privileged users can generally read
+ bwh> kernel memory through kprobes/tracepoints. Unprivileged use of
+ bwh> eBPF is now disabled by default in all Debian suites.
 Bugs:
 upstream: released (5.7-rc1) [294f2fc6da27620a506e6c050241655459ccd6bd]
 5.10-upstream-stable: N/A "Fixed before branching point"
@@ -11,4 +14,4 @@ upstream: released (5.7-rc1) [294f2fc6da27620a506e6c050241655459ccd6bd]
 sid: released (5.7.6-1)
 5.10-bullseye-security: N/A "Fixed before branching point"
 4.19-buster-security: needed
-4.9-stretch-security:
+4.9-stretch-security: ignored "Too risky to backport, and mitigated by default"
author	Ben Hutchings <ben@decadent.org.uk>	2022-05-15 21:22:51 +0200
committer	Ben Hutchings <ben@decadent.org.uk>	2022-05-15 21:25:05 +0200
commit	d082da7610901f6e5718151a1cc52b7e89e5491d (patch)
tree	6caf95b53c7309c37f79abfb87fc74cc4402d956
parent	95642170dc992fb38a4a17f1af746df78deea5b0 (diff)