summaryrefslogtreecommitdiffstats
path: root/active
diff options
context:
space:
mode:
authorBen Hutchings <ben@decadent.org.uk>2020-11-30 02:09:27 +0100
committerBen Hutchings <ben@decadent.org.uk>2020-11-30 02:09:27 +0100
commitb2dd1ea9e251b15acffc24d82146222000ba38d3 (patch)
treec26f4cda2cc01cec73b39aae3f3e477d630bf771 /active
parent852937d5ce830c1fb99188ba4b1157ea02997cbe (diff)
Fill in status for several issues
Diffstat (limited to 'active')
-rw-r--r--active/CVE-2020-04235
-rw-r--r--active/CVE-2020-161203
-rw-r--r--active/CVE-2020-2567015
-rw-r--r--active/CVE-2020-2567115
-rw-r--r--active/CVE-2020-2567215
-rw-r--r--active/CVE-2020-2567315
-rw-r--r--active/CVE-2020-277776
-rw-r--r--active/CVE-2020-289416
-rw-r--r--active/CVE-2020-293749
-rw-r--r--active/CVE-2020-47882
10 files changed, 52 insertions, 39 deletions
diff --git a/active/CVE-2020-0423 b/active/CVE-2020-0423
index 7d852c89..c2efdeda 100644
--- a/active/CVE-2020-0423
+++ b/active/CVE-2020-0423
@@ -3,10 +3,11 @@ References:
https://lore.kernel.org/lkml/20201009232455.4054810-1-tkjos@google.com/
Notes:
carnil> For v5.9.y fixed in 5.9.2.
+ bwh> Appears to have been introduced by locking changes around 4.14
Bugs:
upstream: released (5.10-rc1) [f3277cbfba763cd2826396521b9296de67cf1bbc]
4.19-upstream-stable: released (4.19.153) [35cc2facc2a5ff52b9aa03f2dc81dcb000d97da3]
-4.9-upstream-stable:
+4.9-upstream-stable: N/A "Vulnerability introduced later"
sid: released (5.9.6-1)
4.19-buster-security: needed
-4.9-stretch-security:
+4.9-stretch-security: N/A "Vulnerability introduced later"
diff --git a/active/CVE-2020-16120 b/active/CVE-2020-16120
index b8dd4f72..fbf03408 100644
--- a/active/CVE-2020-16120
+++ b/active/CVE-2020-16120
@@ -9,6 +9,9 @@ Notes:
carnil> hook in ovl_real_ioctl()") might be wanted (see oss-security
carnil> post).
carnil> Only exploitable when unprivileged user namespaces are enabled.
+ bwh> I think it's only exploitable when unprivileged user namespace
+ bwh> are enabled, *and* mounting of overlayfs is permitted in all
+ bwh> user namespaces.
Bugs:
upstream: released (5.8-rc1) [48bd024b8a40d73ad6b086de2615738da0c7004f, 56230d956739b9cb1cbde439d76227d77979a04d, 05acefb4872dae89e772729efb194af754c877e8]
4.19-upstream-stable:
diff --git a/active/CVE-2020-25670 b/active/CVE-2020-25670
index ec208c1c..778f6249 100644
--- a/active/CVE-2020-25670
+++ b/active/CVE-2020-25670
@@ -1,11 +1,12 @@
-Description:
+Description: refcount leak in llcp_sock_bind()
References:
https://www.openwall.com/lists/oss-security/2020/11/01/1
Notes:
+ bwh> Not sure how far back this goes, but 4.9 seems to have the issue
Bugs:
-upstream:
-4.19-upstream-stable:
-4.9-upstream-stable:
-sid:
-4.19-buster-security:
-4.9-stretch-security:
+upstream: needed
+4.19-upstream-stable: needed
+4.9-upstream-stable: needed
+sid: needed
+4.19-buster-security: needed
+4.9-stretch-security: needed
diff --git a/active/CVE-2020-25671 b/active/CVE-2020-25671
index ec208c1c..c636288e 100644
--- a/active/CVE-2020-25671
+++ b/active/CVE-2020-25671
@@ -1,11 +1,12 @@
-Description:
+Description: refcount leak in llcp_sock_connect()
References:
https://www.openwall.com/lists/oss-security/2020/11/01/1
Notes:
+ bwh> Not sure how far back this goes, but 4.9 seems to have the issue
Bugs:
-upstream:
-4.19-upstream-stable:
-4.9-upstream-stable:
-sid:
-4.19-buster-security:
-4.9-stretch-security:
+upstream: needed
+4.19-upstream-stable: needed
+4.9-upstream-stable: needed
+sid: needed
+4.19-buster-security: needed
+4.9-stretch-security: needed
diff --git a/active/CVE-2020-25672 b/active/CVE-2020-25672
index ec208c1c..2191d25b 100644
--- a/active/CVE-2020-25672
+++ b/active/CVE-2020-25672
@@ -1,11 +1,12 @@
-Description:
+Description: memory leak in llcp_sock_connect()
References:
https://www.openwall.com/lists/oss-security/2020/11/01/1
Notes:
+ bwh> Not sure how far back this goes, but 4.9 seems to have the issue
Bugs:
-upstream:
-4.19-upstream-stable:
-4.9-upstream-stable:
-sid:
-4.19-buster-security:
-4.9-stretch-security:
+upstream: needed
+4.19-upstream-stable: needed
+4.9-upstream-stable: needed
+sid: needed
+4.19-buster-security: needed
+4.9-stretch-security: needed
diff --git a/active/CVE-2020-25673 b/active/CVE-2020-25673
index ec208c1c..b7f85f23 100644
--- a/active/CVE-2020-25673
+++ b/active/CVE-2020-25673
@@ -1,11 +1,12 @@
-Description:
+Description: list corruption and memory leak in llcp_sock_connect() for non-blocking socket
References:
https://www.openwall.com/lists/oss-security/2020/11/01/1
Notes:
+ bwh> Not sure how far back this goes, but 4.9 seems to have the issue
Bugs:
-upstream:
-4.19-upstream-stable:
-4.9-upstream-stable:
-sid:
-4.19-buster-security:
-4.9-stretch-security:
+upstream: needed
+4.19-upstream-stable: needed
+4.9-upstream-stable: needed
+sid: needed
+4.19-buster-security: needed
+4.9-stretch-security: needed
diff --git a/active/CVE-2020-27777 b/active/CVE-2020-27777
index 8755392a..b5ebac79 100644
--- a/active/CVE-2020-27777
+++ b/active/CVE-2020-27777
@@ -2,10 +2,12 @@ Description: powerpc/rtas: Restrict RTAS requests from userspace
References:
https://www.openwall.com/lists/oss-security/2020/10/09/1
Notes:
+ bwh> I think this can be ignored for buster as we do not support
+ bwh> Secure Boot on powerpc architectures.
Bugs:
upstream: released (5.10-rc1) [bd59380c5ba4147dcbaad3e582b55ccfd120b764]
4.19-upstream-stable: released (4.19.155) [94e8f0bbc475228c93d28b2e0f7e37303db80ffe]
-4.9-upstream-stable:
+4.9-upstream-stable: ignored "Only an issue when Secure Boot is implemented"
sid: released (5.9.6-1)
4.19-buster-security: needed
-4.9-stretch-security:
+4.9-stretch-security: ignored "Only an issue when Secure Boot is implemented"
diff --git a/active/CVE-2020-28941 b/active/CVE-2020-28941
index 74dd596f..f152804c 100644
--- a/active/CVE-2020-28941
+++ b/active/CVE-2020-28941
@@ -4,10 +4,12 @@ References:
https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git/commit/?h=tty-linus&id=d4122754442799187d5d537a9c039a49a67e57f1
Notes:
carnil> Fixed as well in v5.9.11.
+ bwh> Introduced in 4.13 by commit 1ab92da32e37 "staging: speakup: add
+ bwh> tty-based comms functions".
Bugs:
upstream: released (5.10-rc5) [d4122754442799187d5d537a9c039a49a67e57f1]
4.19-upstream-stable: released (4.19.160) [3560603ef82f11277143a433170bca05bd9288a8]
-4.9-upstream-stable:
+4.9-upstream-stable: N/A "Vulnerable code not present"
sid: released (5.9.11-1)
4.19-buster-security: needed
-4.9-stretch-security:
+4.9-stretch-security: N/A "Vulnerable code not present"
diff --git a/active/CVE-2020-29374 b/active/CVE-2020-29374
index 380dc3a4..d26482a4 100644
--- a/active/CVE-2020-29374
+++ b/active/CVE-2020-29374
@@ -2,10 +2,11 @@ Description: gup: document and work around "COW can break either way" issue
References:
https://bugs.chromium.org/p/project-zero/issues/detail?id=2045
Notes:
+ bwh> The issue is said to go back to "2.x kernels"
Bugs:
upstream: released (5.8-rc1) [17839856fd588f4ab6b789f482ed3ffd7c403e1f]
-4.19-upstream-stable:
-4.9-upstream-stable:
+4.19-upstream-stable: needed
+4.9-upstream-stable: needed
sid: released (5.7.6-1)
-4.19-buster-security:
-4.9-stretch-security:
+4.19-buster-security: needed
+4.9-stretch-security: needed
diff --git a/active/CVE-2020-4788 b/active/CVE-2020-4788
index 6649e339..b5292c21 100644
--- a/active/CVE-2020-4788
+++ b/active/CVE-2020-4788
@@ -9,4 +9,4 @@ upstream: released (5.10-rc5) [fcb48454c23c5679d1a2e252f127642e91b05cbe, f796437
4.9-upstream-stable: released (4.9.245) [6672e0ba87c7643ed2c86ac949d3dbaa7a8ae6d7, 4eb53cb9f9f71bf615f344524eb195607501dd9e, fa4bf9f38184ed7ca4916eb64f8c767d1e279c1f, 82973e9a1b814c3f0a11014fd84261f4c9e00e37, 3853ff577423903917b7951bbf48bb198a96bd18, d765c7b38bc7532b99e868e4df9f9b3156f2cb0c, 9fbcbd259cf6ecab607efc7ad3a0f3d9bff3a325, d67c5c60a4225d98e24381f2da8f449e50733e81]
sid: released (5.9.11-1)
4.19-buster-security: needed
-4.9-stretch-security:
+4.9-stretch-security: ignored "powerpc architectures not included in LTS"

© 2014-2024 Faster IT GmbH | imprint | privacy policy