Update notes for CVE-2021-37159

1 files changed, 15 insertions, 5 deletions

diff --git a/active/CVE-2021-37159 b/active/CVE-2021-37159
index 7c07e1dd..22a94465 100644
--- a/active/CVE-2021-37159
+++ b/active/CVE-2021-37159
@@ -1,15 +1,25 @@
 Description: net: hso: do not call unregister if not registered
 References:
  https://www.spinics.net/lists/linux-usb/msg202228.html
+ https://lore.kernel.org/stable/20210928151544.270412-1-ovidiu.panait@windriver.com/
+ https://lore.kernel.org/stable/20210928143001.202223-1-ovidiu.panait@windriver.com/
+ https://lore.kernel.org/stable/20210928131523.2314252-1-ovidiu.panait@windriver.com/
+ https://ubuntu.com/security/CVE-2021-37159
+ https://bugzilla.suse.com/show_bug.cgi?id=1188601
 Notes:
  carnil> The original patch was not accepted:
  carnil> https://www.spinics.net/lists/linux-usb/msg202313.html
  carnil> and a fix probably never applied. Needs closer investigation.
+ carnil> The last commit is just a cleanup and not strictly necessary for the fix.
+ carnil> 5fcfb6d0bfcd ("hso: fix bailout in error case of probe") can be considered
+ carnil> a pre-requisite. This would be consistent with e.g. Ubuntu's triaging for
+ carnil> CVE-2021-37159 and SUSEs.
 Bugs:
-upstream:
-5.10-upstream-stable:
-4.19-upstream-stable:
+upstream: released (5.14-rc3) [a6ecfb39ba9d7316057cea823b196b734f6b18ca]
+5.10-upstream-stable: released (5.10.54) [115e4f5b64ae8d9dd933167cafe2070aaac45849]
+4.19-upstream-stable: needed
 4.9-upstream-stable:
-sid:
-4.19-buster-security:
+sid: released (5.14.6-1)
+5.10-bullseye-security: needed
+4.19-buster-security: needed
 4.9-stretch-security: