diff options
| author | Ben Hutchings <ben@decadent.org.uk> | 2018-06-25 23:01:20 +0100 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2018-06-25 23:01:20 +0100 |
| commit | d524cd3bcae5bba8190496ddd0f9c781c61952d2 (patch) | |
| tree | acce53475b66ee677cfe7457efd8d47cd15e553b | |
| parent | a015ebc2609772e2cec1a034319110faa79a8606 (diff) | |
Fill in most issue status fields
| -rw-r--r-- | active/CVE-2016-10723 | 12 | ||||
| -rw-r--r-- | active/CVE-2018-10853 | 6 | ||||
| -rw-r--r-- | active/CVE-2018-1120 | 4 | ||||
| -rw-r--r-- | active/CVE-2018-1121 | 2 | ||||
| -rw-r--r-- | active/CVE-2018-11506 | 14 | ||||
| -rw-r--r-- | active/CVE-2018-12232 | 12 | ||||
| -rw-r--r-- | active/CVE-2018-12233 | 12 | ||||
| -rw-r--r-- | active/CVE-2018-12633 | 2 | ||||
| -rw-r--r-- | active/CVE-2018-3665 | 8 | ||||
| -rw-r--r-- | active/CVE-2018-5814 | 4 |
10 files changed, 47 insertions, 29 deletions
diff --git a/active/CVE-2016-10723 b/active/CVE-2016-10723 index 8ca44b4b..db45adca 100644 --- a/active/CVE-2016-10723 +++ b/active/CVE-2016-10723 @@ -3,11 +3,15 @@ References: https://patchwork.kernel.org/patch/10395909/ https://patchwork.kernel.org/patch/9842889/ https://www.spinics.net/lists/linux-mm/msg117896.html + https://www.spinics.net/lists/linux-mm/msg117960.html Notes: + bwh> Since this issue dates back to 2016 I assume it affects at least + bwh> 4.9 onward. We should test 3.16 with the reproducer in + bwh> msg117960.html. Bugs: -upstream: -4.9-upstream-stable: +upstream: needed +4.9-upstream-stable: needed 3.16-upstream-stable: -sid: -4.9-stretch-security: +sid: needed +4.9-stretch-security: needed 3.16-jessie-security: diff --git a/active/CVE-2018-10853 b/active/CVE-2018-10853 index 8fc41f80..a3dc24c6 100644 --- a/active/CVE-2018-10853 +++ b/active/CVE-2018-10853 @@ -11,7 +11,7 @@ Notes: Bugs: upstream: released (4.18-rc1) [3c9fa24ca7c9c47605672916491f79e8ccacb9e6] 4.9-upstream-stable: released (4.9.109) [13d1c5b17d127afbd947210c5cdd80eaded5d9f4] -3.16-upstream-stable: +3.16-upstream-stable: needed sid: released (4.16.16-1) -4.9-stretch-security: -3.16-jessie-security: +4.9-stretch-security: needed +3.16-jessie-security: needed diff --git a/active/CVE-2018-1120 b/active/CVE-2018-1120 index e236dfae..a5d7e895 100644 --- a/active/CVE-2018-1120 +++ b/active/CVE-2018-1120 @@ -10,9 +10,9 @@ Notes: Bugs: upstream: released (4.17-rc6) [7f7ccc2ccc2e70c6054685f5e3522efa81556830] 4.9-upstream-stable: released (4.9.101) [6f1abf8628b750905606996fd5ff5ea22d149238] -3.16-upstream-stable: +3.16-upstream-stable: needed 3.2-upstream-stable: ignored "EOL" sid: released (4.16.12-1) 4.9-stretch-security: pending (4.9.88-1+deb9u2) [bugfix/all/proc-do-not-access-cmdline-nor-environ-from-file-bac.patch] -3.16-jessie-security: +3.16-jessie-security: needed 3.2-wheezy-security: ignored "EOL" diff --git a/active/CVE-2018-1121 b/active/CVE-2018-1121 index 407e8a96..8e19a7d5 100644 --- a/active/CVE-2018-1121 +++ b/active/CVE-2018-1121 @@ -9,7 +9,7 @@ Notes: Bugs: upstream: 4.9-upstream-stable: -3.16-upstream-stable: +3.16-upstream-stable: ignored "Fix is likely not be possible without major side effects" 3.2-upstream-stable: ignored "EOL" sid: ignored "Fix is likely not be possible without major side effects" 4.9-stretch-security: ignored "Fix is likely not be possible without major side effects" diff --git a/active/CVE-2018-11506 b/active/CVE-2018-11506 index 1e6f8d1f..05cd40e9 100644 --- a/active/CVE-2018-11506 +++ b/active/CVE-2018-11506 @@ -4,12 +4,18 @@ Notes: carnil> Possibly just introduced with 82ed4db499b8598f16f8871261bff088d6b0597f carnil> in 4.11-rc1. carnil> For 4.16 fixed in 4.16.13. + bwh> The change in 4.11 moved the copying of sense data into + bwh> __scsi_execute() and changed the length to a fixed 96 bytes. + bwh> Prior to that scsi_io_completion() could still copy up to 96 + bwh> bytes into the sense buffer. So I think a fix is still + bwh> needed in older versions, but we need to be careful to avoid + bwh> introducing an information leak. Bugs: upstream: released (4.17-rc7) [f7068114d45ec55996b9040e98111afa56e010fe] -4.9-upstream-stable: -3.16-upstream-stable: +4.9-upstream-stable: needed +3.16-upstream-stable: needed 3.2-upstream-stable: ignored "EOL" sid: released (4.16.16-1) -4.9-stretch-security: -3.16-jessie-security: +4.9-stretch-security: needed +3.16-jessie-security: needed 3.2-wheezy-security: ignored "EOL" diff --git a/active/CVE-2018-12232 b/active/CVE-2018-12232 index 4cd4a11e..7df40c88 100644 --- a/active/CVE-2018-12232 +++ b/active/CVE-2018-12232 @@ -3,10 +3,12 @@ References: https://lkml.org/lkml/2018/6/5/14 https://patchwork.ozlabs.org/patch/926519/ Notes: + bwh> Introduced in 4.10 by commit 86741ec25462 "net: core: Add a UID + bwh> field to struct sock." Bugs: upstream: released (4.18-rc1) [6d8c50dcb029872b298eea68cc6209c866fd3e14] -4.9-upstream-stable: -3.16-upstream-stable: -sid: -4.9-stretch-security: -3.16-jessie-security: +4.9-upstream-stable: N/A "Vulnerable code not present" +3.16-upstream-stable: N/A "Vulnerable code not present" +sid: needed +4.9-stretch-security: N/A "Vulnerable code not present" +3.16-jessie-security: N/A "Vulnerable code not present" diff --git a/active/CVE-2018-12233 b/active/CVE-2018-12233 index dea15b98..49d86e22 100644 --- a/active/CVE-2018-12233 +++ b/active/CVE-2018-12233 @@ -1,12 +1,12 @@ -Description: Slab out of bounds in setxattr +Description: Slab out of bounds in jfs setxattr References: https://marc.info/?l=linux-kernel&m=152814391530549&w=2 https://lkml.org/lkml/2018/6/2/2 Notes: Bugs: upstream: needed -4.9-upstream-stable: -3.16-upstream-stable: -sid: -4.9-stretch-security: -3.16-jessie-security: +4.9-upstream-stable: needed +3.16-upstream-stable: needed +sid: needed +4.9-stretch-security: needed +3.16-jessie-security: needed diff --git a/active/CVE-2018-12633 b/active/CVE-2018-12633 index e1544c5e..96b197e3 100644 --- a/active/CVE-2018-12633 +++ b/active/CVE-2018-12633 @@ -7,6 +7,6 @@ Bugs: upstream: released (4.18-rc1) [bd23a7269834dc7c1f93e83535d16ebc44b75eba] 4.9-upstream-stable: N/A "Vulnerable code not present" 3.16-upstream-stable: N/A "Vulnerable code not present" -sid: +sid: needed 4.9-stretch-security: N/A "Vulnerable code not present" 3.16-jessie-security: N/A "Vulnerable code not present" diff --git a/active/CVE-2018-3665 b/active/CVE-2018-3665 index 4261530d..8e35ea6f 100644 --- a/active/CVE-2018-3665 +++ b/active/CVE-2018-3665 @@ -9,10 +9,16 @@ Notes: carnil> Hard-disable lazy FPU mode". carnil> Might be still sensible to apply the patch for 4.9-upstream-stable carnil> x86-fpu-hard-disable-lazy-fpu-mode.patch for stretch. + bwh> Several more fixes were needed to make eagerfpu work on CPUs + bwh> without an FPU or FXSR, and they aren't practical to backport + bwh> to 3.16. I've prepared a fix that enables eagerfpu by default + bwh> if FPU and FXSR are available. This leaves the PPro and K6 + bwh> family vulnerable since they do speculative execution but don't + bwh> implement FXSR. Bugs: upstream: released (4.6-rc1) [58122bf1d856a4ea9581d62a07c557d997d46a19] 4.9-upstream-stable: N/A "Fixed before branching point" -3.16-upstream-stable: needed +3.16-upstream-stable: pending (3.16.58) [x86-fpu-default-eagerfpu-if-fpu-and-fxsr-are-enabled.patch] sid: released (4.6.1-1) 4.9-stretch-security: N/A "Fixed before branching point" 3.16-jessie-security: needed diff --git a/active/CVE-2018-5814 b/active/CVE-2018-5814 index 0b847766..d98bdde9 100644 --- a/active/CVE-2018-5814 +++ b/active/CVE-2018-5814 @@ -5,9 +5,9 @@ Notes: Bugs: upstream: released (4.17-rc6) [22076557b07c12086eeb16b8ce2b0b735f7a27e7, c171654caa875919be3c533d3518da8be5be966e] 4.9-upstream-stable: released (4.9.102) [f2a6d5f19450086e5cbdac7168d3fc75af32becf, 0471d407998b58d1f1cbb4f594fc63f9bf0ec7bb] -3.16-upstream-stable: +3.16-upstream-stable: needed 3.2-upstream-stable: ignored "EOL" sid: released (4.16.12-1) 4.9-stretch-security: needed -3.16-jessie-security: +3.16-jessie-security: needed 3.2-wheezy-security: ignored "EOL" |