diff options
author | Moritz Muehlenhoff <jmm@debian.org> | 2022-12-14 14:02:17 +0100 |
---|---|---|
committer | Moritz Muehlenhoff <jmm@debian.org> | 2022-12-14 14:02:17 +0100 |
commit | 97db91052b394c5a69910974e0cc3c94cebc1a34 (patch) | |
tree | c89efbdd583292efdd42701ba4574c036c79391e /active | |
parent | 2001746fa4385902f4da27dd2186a6b0a4d7769d (diff) |
retire some issues
Diffstat (limited to 'active')
-rw-r--r-- | active/CVE-2019-19036 | 25 | ||||
-rw-r--r-- | active/CVE-2019-19377 | 19 | ||||
-rw-r--r-- | active/CVE-2019-9453 | 16 | ||||
-rw-r--r-- | active/CVE-2020-0030 | 21 | ||||
-rw-r--r-- | active/CVE-2021-33624 | 20 | ||||
-rw-r--r-- | active/CVE-2021-33655 | 14 |
6 files changed, 0 insertions, 115 deletions
diff --git a/active/CVE-2019-19036 b/active/CVE-2019-19036 deleted file mode 100644 index 7ab73d15..00000000 --- a/active/CVE-2019-19036 +++ /dev/null @@ -1,25 +0,0 @@ -Description: btrfs: crafted image causes null deref in btrfs_root_node -References: - https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19036 - https://bugzilla.redhat.com/show_bug.cgi?id=1775187 - https://bugzilla.suse.com/show_bug.cgi?id=1157692 -Notes: - jmm> Fixed by 62fdaa52a3d00a875da771719b6dc537ca79fce1 ? - carnil> This is a good candidate and is included in 5.4-rc1. It was - carnil> futhermore backported to 5.3.4, 5.2.19 and 4.19.129, where the - carnil> 5.3.4 fixing information would as well match what is available - carnil> from the Red Hat bugzilla. - bwh> I think this affects 4.9 but the fix depends on commits going back - bwh> to at least 581c1760415c "btrfs: Validate child tree block's level - bwh> and first key". -Bugs: -upstream: released (5.4-rc1) [62fdaa52a3d00a875da771719b6dc537ca79fce1] -5.10-upstream-stable: N/A "Fixed before branch point" -4.19-upstream-stable: released (4.19.129) [227af79e6cb0ee3faeb8c70be4bc0aec0b09ea25] -4.9-upstream-stable: needed -3.16-upstream-stable: ignored "EOL" -sid: released (5.3.7-1) -5.10-bullseye-security: N/A "Fixed before branching point" -4.19-buster-security: released (4.19.131-1) -4.9-stretch-security: ignored "EOL" -3.16-jessie-security: ignored "EOL" diff --git a/active/CVE-2019-19377 b/active/CVE-2019-19377 deleted file mode 100644 index 57e43caf..00000000 --- a/active/CVE-2019-19377 +++ /dev/null @@ -1,19 +0,0 @@ -Description: btrfs: crafted image causes use-after-free in btrfs_queue_work -References: - https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19377 -Notes: - carnil> This might affect only 5.4+ stable releases, the fix at least - carnil> was submitted for those only and addressed in 5.4.33, 5.5.18 - carnil> and 5.6.5 as well. This needs to be verified/confirmed. - bwh> Apparently fixed along with CVE-2019-19039. -Bugs: -upstream: released (5.7-rc1) [b3ff8f1d380e65dddd772542aa9bff6c86bf715a] -5.10-upstream-stable: N/A "Fixed before branch point" -4.19-upstream-stable: released (4.19.156) [1527c0e0229d2dd1c8ae1e73b1579bd8d5866b5b] -4.9-upstream-stable: needed -3.16-upstream-stable: ignored "EOL" -sid: released (5.6.7-1) -5.10-bullseye-security: N/A "Fixed before branching point" -4.19-buster-security: released (4.19.160-1) -4.9-stretch-security: ignored "EOL" -3.16-jessie-security: ignored "EOL" diff --git a/active/CVE-2019-9453 b/active/CVE-2019-9453 deleted file mode 100644 index e1fa0174..00000000 --- a/active/CVE-2019-9453 +++ /dev/null @@ -1,16 +0,0 @@ -Description: f2fs: fix to avoid accessing xattr across the boundary -References: - https://source.android.com/security/bulletin/pixel/2019-09-01 -Notes: - bwh> Apparently introduced in 3.8 when f2fs was added. -Bugs: -upstream: released (5.2-rc1) [2777e654371dd4207a3a7f4fb5fa39550053a080] -5.10-upstream-stable: N/A "Fixed before branch point" -4.19-upstream-stable: released (4.19.53) [ae3787d433f7b87ebf6b916e524c6e280e4e5804] -4.9-upstream-stable: needed -3.16-upstream-stable: ignored "f2fs is not supportable" -sid: released (5.2.6-1) -5.10-bullseye-security: N/A "Fixed before branching point" -4.19-buster-security: released (4.19.67-1) -4.9-stretch-security: ignored "f2fs is not supportable" -3.16-jessie-security: ignored "f2fs is not supportable" diff --git a/active/CVE-2020-0030 b/active/CVE-2020-0030 deleted file mode 100644 index c22f65dc..00000000 --- a/active/CVE-2020-0030 +++ /dev/null @@ -1,21 +0,0 @@ -Description: ANDROID: binder: synchronize_rcu() when using POLLFREE -References: - https://source.android.com/security/bulletin/2020-02-01.html -Notes: - bwh> Although the upstream commit has been backported to 4.9, it - bwh> depends on commit 7a4408c6bd3e "binder: make sure accesses to - bwh> proc/thread are safe" which has not. - carnil> For tracking, this was in 4.9.196 with - carnil> b6c6212514fe9f2387fc6677181028d4a9ae20c7 commit in linux-4.9.y - carnil> branch -Bugs: -upstream: released (4.16-rc3) [5eeb2ca02a2f6084fc57ae5c244a38baab07033a] -5.10-upstream-stable: N/A "Fixed before branch point" -4.19-upstream-stable: N/A "Fixed before branching point" -4.9-upstream-stable: needed -3.16-upstream-stable: ignored "Too difficult and risky to backport" -sid: released (4.15.11-1) -5.10-bullseye-security: N/A "Fixed before branching point" -4.19-buster-security: N/A "Fixed before branching point" -4.9-stretch-security: ignored "binder not enabled, and risky to backport" -3.16-jessie-security: ignored "binder not enabled, and risky to backport" diff --git a/active/CVE-2021-33624 b/active/CVE-2021-33624 deleted file mode 100644 index 3da976cd..00000000 --- a/active/CVE-2021-33624 +++ /dev/null @@ -1,20 +0,0 @@ -Description: Linux kernel BPF protection against speculative execution attacks can be bypassed to read arbitrary kernel memory -References: - https://www.openwall.com/lists/oss-security/2021/06/21/1 -Notes: - carnil> 9183671af6db ("bpf: Fix leakage under speculation on - carnil> mispredicted branches") is the main part of the fixes. - carnil> The selftest fixes commit was included in later release as well - carnil> in 5.10.57 but the CVE fixes covered already in 5.10.46. - bwh> I think this can be ignored. Privileged users can generally read - bwh> kernel memory through kprobes/tracepoints. Unprivileged use of - bwh> eBPF is now disabled by default in all Debian suites. -Bugs: -upstream: released (5.13-rc7) [d203b0fd863a2261e5d00b97f3d060c4c2a6db71, fe9a5ca7e370e613a9a75a13008a3845ea759d6e, 9183671af6dbf60a1219371d4ed73e23f43b49db, 973377ffe8148180b2651825b92ae91988141b05] -5.10-upstream-stable: released (5.10.46) [e9d271731d21647f8f9e9a261582cf47b868589a, 8c82c52d1de931532200b447df8b4fc92129cfd9, 5fc6ed1831ca5a30fb0ceefd5e33c7c689e7627b], released (5.10.57) [30ea1c535291e88e41413464277fcf98a95cf8c6] -4.19-upstream-stable: released (4.19.204) [0abc8c9754c953f5cd0ac7488c668ca8d53ffc90, c510c1845f7b54214b4117272e0d87dff8732af6, 5fc6ed1831ca5a30fb0ceefd5e33c7c689e7627b, c15b387769446c37a892f958b169744dabf7ff23] -4.9-upstream-stable: needed -sid: released (5.10.46-1) -5.10-bullseye-security: N/A "Fixed before branching point" -4.19-buster-security: released (4.19.208-1) -4.9-stretch-security: ignored "Too risky to backport, and mitigated by default" diff --git a/active/CVE-2021-33655 b/active/CVE-2021-33655 deleted file mode 100644 index f151faf5..00000000 --- a/active/CVE-2021-33655 +++ /dev/null @@ -1,14 +0,0 @@ -Description: When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds. -References: - https://www.openwall.com/lists/oss-security/2022/07/19/2 -Notes: - bwh> One commit is marked for backport to stable branches 4.14+, so I - bwh> assume all branches are somewhat affected. - bwh> Released in 5.18.11. -Bugs: -upstream: released (5.19-rc7) [65a01e601dbba8b7a51a2677811f70f783766682, e64242caef18b4a5840b0e7a9bff37abd4f4f933, 6c11df58fd1ac0aefcb3b227f72769272b939e56] -5.10-upstream-stable: released (5.10.130) [b727561ddc9360de9631af2d970d8ffed676a750, cecb806c766c78e1be62b6b7b1483ef59bbaeabe, b81212828ad19ab3eccf00626cd04099215060bf] -4.19-upstream-stable: released (4.19.252) [eae522ed28fe1c00375a8a0081a97dce7996e4d8] -sid: released (5.18.14-1) -5.10-bullseye-security: released (5.10.127-2) [bugfix/all/fbmem-check-virtual-screen-sizes-in-fb_set_var.patch, bugfix/all/fbcon-disallow-setting-font-bigger-than-screen-size.patch, bugfix/all/fbcon-prevent-that-screen-size-is-smaller-than-font-.patch] -4.19-buster-security: released (4.19.260-1) |