diff options
| author | Ben Hutchings <ben@decadent.org.uk> | 2020-12-13 23:34:31 +0100 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2020-12-17 00:50:52 +0100 |
| commit | 7811bf54c3fa03d431c7825d00b939213fa07553 (patch) | |
| tree | 60f0aee0c228326665736d7199fe9a30ee8c9cd0 /active | |
| parent | 3dd57c07bc02f0fdcda033e675b3e753858e4757 (diff) | |
Fill in status for several issues
Diffstat (limited to 'active')
| -rw-r--r-- | active/CVE-2019-12881 | 14 | ||||
| -rw-r--r-- | active/CVE-2019-19039 | 4 | ||||
| -rw-r--r-- | active/CVE-2019-19318 | 6 | ||||
| -rw-r--r-- | active/CVE-2019-19377 | 4 | ||||
| -rw-r--r-- | active/CVE-2019-19378 | 14 | ||||
| -rw-r--r-- | active/CVE-2019-9245 | 2 | ||||
| -rw-r--r-- | active/CVE-2019-9453 | 2 | ||||
| -rw-r--r-- | active/CVE-2020-0067 | 2 | ||||
| -rw-r--r-- | active/CVE-2020-16120 | 12 | ||||
| -rw-r--r-- | active/CVE-2020-27815 | 15 | ||||
| -rw-r--r-- | active/CVE-2020-27820 | 6 | ||||
| -rw-r--r-- | active/CVE-2020-27830 | 7 |
12 files changed, 52 insertions, 36 deletions
diff --git a/active/CVE-2019-12881 b/active/CVE-2019-12881 index 5f6a0a95..9d68be34 100644 --- a/active/CVE-2019-12881 +++ b/active/CVE-2019-12881 @@ -3,12 +3,14 @@ References: https://gist.github.com/oxagast/472866fb2c3d439e10499d7141d0a520 Notes: carnil> Unclear status on the issue (e.g. if upstream is aware) + bwh> Introduced in 3.16 by commit 5cc9ed4b9a7a "drm/i915: Introduce + bwh> mapping of user pages into video memory (userptr) ioctl". Bugs: -upstream: -4.19-upstream-stable: -4.9-upstream-stable: +upstream: released (4.18-rc1) [c11c7bfd213495784b22ef82a69b6489f8d0092f] +4.19-upstream-stable: N/A "Fixed before branch point" +4.9-upstream-stable: released (4.9.126) [f916daa615e1c0d67fb3b7a65572fbc56c6aaea6] 3.16-upstream-stable: ignored "EOL" -sid: -4.19-buster-security: -4.9-stretch-security: +sid: released (4.18.6-1) +4.19-buster-security: N/A "Fixed before branch point" +4.9-stretch-security: released (4.9.130-1) 3.16-jessie-security: ignored "EOL" diff --git a/active/CVE-2019-19039 b/active/CVE-2019-19039 index b3f07dd7..f343a2ac 100644 --- a/active/CVE-2019-19039 +++ b/active/CVE-2019-19039 @@ -10,9 +10,9 @@ Notes: Bugs: upstream: released (5.7-rc1) [b3ff8f1d380e65dddd772542aa9bff6c86bf715a] 4.19-upstream-stable: released (4.19.156) [1527c0e0229d2dd1c8ae1e73b1579bd8d5866b5b] -4.9-upstream-stable: +4.9-upstream-stable: needed 3.16-upstream-stable: ignored "EOL" sid: released (5.6.7-1) 4.19-buster-security: released (4.19.160-1) -4.9-stretch-security: +4.9-stretch-security: needed 3.16-jessie-security: ignored "EOL" diff --git a/active/CVE-2019-19318 b/active/CVE-2019-19318 index 55146323..305878c9 100644 --- a/active/CVE-2019-19318 +++ b/active/CVE-2019-19318 @@ -8,11 +8,11 @@ Notes: bwh> the owner pointer, and the issue is also said to be reproducible on bwh> 5.0.21 (which does not have a backport of it). Bugs: -upstream: released (5.4) -4.19-upstream-stable: +upstream: released (5.4-rc1) [9f7fec0ba89108b9385f1b9fb167861224912a4a] +4.19-upstream-stable: released (4.19.137) [cd823ab582225b2ce6eb37b9e22581a8d171a24a] 4.9-upstream-stable: 3.16-upstream-stable: ignored "EOL" sid: released (5.4.6-1) -4.19-buster-security: +4.19-buster-security: released (4.19.146-1) 4.9-stretch-security: 3.16-jessie-security: ignored "EOL" diff --git a/active/CVE-2019-19377 b/active/CVE-2019-19377 index c75ef155..5d8a8cbb 100644 --- a/active/CVE-2019-19377 +++ b/active/CVE-2019-19377 @@ -9,9 +9,9 @@ Notes: Bugs: upstream: released (5.7-rc1) [b3ff8f1d380e65dddd772542aa9bff6c86bf715a] 4.19-upstream-stable: released (4.19.156) [1527c0e0229d2dd1c8ae1e73b1579bd8d5866b5b] -4.9-upstream-stable: +4.9-upstream-stable: needed 3.16-upstream-stable: ignored "EOL" sid: released (5.6.7-1) 4.19-buster-security: released (4.19.160-1) -4.9-stretch-security: +4.9-stretch-security: needed 3.16-jessie-security: ignored "EOL" diff --git a/active/CVE-2019-19378 b/active/CVE-2019-19378 index 67f67d03..82b52fca 100644 --- a/active/CVE-2019-19378 +++ b/active/CVE-2019-19378 @@ -2,12 +2,14 @@ Description: btrfs: crafted image causes heap OOB write in index_rbio_pages References: https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19378 Notes: + bwh> Probably introduced in 3.9 by commit 53b381b3abeb "Btrfs: RAID5 + bwh> and RAID6". Bugs: -upstream: -4.19-upstream-stable: -4.9-upstream-stable: +upstream: needed +4.19-upstream-stable: needed +4.9-upstream-stable: needed 3.16-upstream-stable: ignored "EOL" -sid: -4.19-buster-security: -4.9-stretch-security: +sid: needed +4.19-buster-security: needed +4.9-stretch-security: needed 3.16-jessie-security: ignored "EOL" diff --git a/active/CVE-2019-9245 b/active/CVE-2019-9245 index 56e364c1..f17f491f 100644 --- a/active/CVE-2019-9245 +++ b/active/CVE-2019-9245 @@ -9,5 +9,5 @@ upstream: released (5.0-rc1) [64beba0558fce7b59e9a8a7afd77290e82a22163] 3.16-upstream-stable: ignored "f2fs is not supportable" sid: released (4.19.16-1) 4.19-buster-security: N/A "Fixed before branching point" -4.9-stretch-security: needed +4.9-stretch-security: ignored "f2fs is not supportable" 3.16-jessie-security: ignored "f2fs is not supportable" diff --git a/active/CVE-2019-9453 b/active/CVE-2019-9453 index 42bc5a79..0ffcdb73 100644 --- a/active/CVE-2019-9453 +++ b/active/CVE-2019-9453 @@ -10,5 +10,5 @@ upstream: released (5.2-rc1) [2777e654371dd4207a3a7f4fb5fa39550053a080] 3.16-upstream-stable: ignored "f2fs is not supportable" sid: released (5.2.6-1) 4.19-buster-security: released (4.19.67-1) -4.9-stretch-security: needed +4.9-stretch-security: ignored "f2fs is not supportable" 3.16-jessie-security: ignored "f2fs is not supportable" diff --git a/active/CVE-2020-0067 b/active/CVE-2020-0067 index dfce0946..54b5aba6 100644 --- a/active/CVE-2020-0067 +++ b/active/CVE-2020-0067 @@ -9,5 +9,5 @@ upstream: released (5.5-rc1) [688078e7f36c293dae25b338ddc9e0a2790f6e06] 3.16-upstream-stable: ignored "f2fs is not supportable" sid: released (5.5.13-1) 4.19-buster-security: released (4.19.118-1) [bugfix/all/f2fs-fix-to-avoid-memory-leakage-in-f2fs_listxattr.patch] -4.9-stretch-security: needed +4.9-stretch-security: ignored "f2fs is not supportable" 3.16-jessie-security: ignored "f2fs is not supportable" diff --git a/active/CVE-2020-16120 b/active/CVE-2020-16120 index fbf03408..fb8cd0f8 100644 --- a/active/CVE-2020-16120 +++ b/active/CVE-2020-16120 @@ -11,11 +11,13 @@ Notes: carnil> Only exploitable when unprivileged user namespaces are enabled. bwh> I think it's only exploitable when unprivileged user namespace bwh> are enabled, *and* mounting of overlayfs is permitted in all - bwh> user namespaces. + bwh> user namespaces. This is not possible in the upstream or stable + bwh> kernels, or in a default Debian configuration, but we do provide + bwh> run-time configuration knobs to enable these. Bugs: upstream: released (5.8-rc1) [48bd024b8a40d73ad6b086de2615738da0c7004f, 56230d956739b9cb1cbde439d76227d77979a04d, 05acefb4872dae89e772729efb194af754c877e8] -4.19-upstream-stable: -4.9-upstream-stable: +4.19-upstream-stable: N/A "Vulnerable configuration not possible" +4.9-upstream-stable: N/A "Vulnerable configuration not possible" sid: released (5.8.7-1) -4.19-buster-security: -4.9-stretch-security: +4.19-buster-security: needed +4.9-stretch-security: N/A "Vulnerable configuration not possible" diff --git a/active/CVE-2020-27815 b/active/CVE-2020-27815 index d2ffb61b..f9bc8188 100644 --- a/active/CVE-2020-27815 +++ b/active/CVE-2020-27815 @@ -4,10 +4,15 @@ References: https://www.openwall.com/lists/oss-security/2020/11/30/5 https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=c61b3e4839007668360ed8b87d7da96d2e59fc6c Notes: + bwh> Based on the fix, this looks like it will be harmless in practice. + bwh> There are two arrays of different sizes aliased to each other + bwh> through a union, and the smaller array is used when the larger + bwh> should be. But the union will always be big enough to hold the + bwh> larger array. Bugs: upstream: needed -4.19-upstream-stable: -4.9-upstream-stable: -sid: -4.19-buster-security: -4.9-stretch-security: +4.19-upstream-stable: needed +4.9-upstream-stable: needed +sid: needed +4.19-buster-security: needed +4.9-stretch-security: needed diff --git a/active/CVE-2020-27820 b/active/CVE-2020-27820 index 50d53986..8ec00595 100644 --- a/active/CVE-2020-27820 +++ b/active/CVE-2020-27820 @@ -5,10 +5,12 @@ References: https://lore.kernel.org/dri-devel/20201103194912.184413-4-jcline@redhat.com/ https://bugzilla.redhat.com/show_bug.cgi?id=1901726 Notes: + bwh> I don't see how this is a security issue, though it seems like a + bwh> worthwhile fix anyway. Bugs: -upstream: +upstream: needed 4.19-upstream-stable: 4.9-upstream-stable: -sid: +sid: needed 4.19-buster-security: 4.9-stretch-security: diff --git a/active/CVE-2020-27830 b/active/CVE-2020-27830 index 7439e499..b0365e0a 100644 --- a/active/CVE-2020-27830 +++ b/active/CVE-2020-27830 @@ -3,9 +3,12 @@ References: https://www.openwall.com/lists/oss-security/2020/12/07/1 Notes: carnil> Fixed as well in v5.9.14. + bwh> Introduced in 4.13 by commit 1ab92da32e37 "staging: speakup: add + bwh> tty-based comms functions". Bugs: upstream: released (5.10-rc7) [f0992098cadb4c9c6a00703b66cafe604e178fea] 4.19-upstream-stable: released (4.19.163) [de867367f35237729e285ff6efa3fd4e4b0b9008] -4.9-upstream-stable: +4.9-upstream-stable: N/A "Vulnerability introduced later" sid: pending (5.9.15-1) -4.9-stretch-security: +4.19-buster-security: needed +4.9-stretch-security: N/A "Vulnerability introduced later" |