Retire several CVEs

git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@5347 e094ebfe-e918-0410-adfb-c712417f3574

1 files changed, 23 insertions, 0 deletions

diff --git a/retired/CVE-2016-2188 b/retired/CVE-2016-2188
new file mode 100644
index 00000000..56e71357
--- /dev/null
+++ b/retired/CVE-2016-2188
@@ -0,0 +1,23 @@
+Description: Kernel panic on invalid USB device descriptor (iowarrior driver)
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1317018
+ https://bugzilla.redhat.com/show_bug.cgi?id=1283390
+ http://seclists.org/bugtraq/2016/Mar/87
+ http://marc.info/?l=linux-usb&m=145796659429788&w=2
+ https://git.kernel.org/linus/4ec0ef3a82125efc36173062a50624550a900ae0
+ https://marc.info/?l=linux-usb&m=148890022313747
+Notes:
+ bwh> Upstream fix (commit listed above) handles the case where there
+ bwh> are zero endpoints, but not the case where there are some
+ bwh> endpoints but none of the expected type.  So this is not really
+ bwh> fixed anywhere yet.
+ bwh> A second proposed fix was posted in March 2017 (second linux-usb
+ bwh> message linked above).
+Bugs:
+upstream: released (4.11-rc2) [b7321e81fc369abe353cf094d4f0dc2fe11ab95f]
+4.9-upstream-stable: released (4.9.16) [653418adaf1026a10e0c2e4e29b7319610117b33]
+3.16-upstream-stable: released (3.16.44) [d2d603cf8fd51f0da5e4bc809d17824faa7630f7]
+3.2-upstream-stable: released (3.2.89) [6598f3d653a85dccfb4a472504ec6fd12cec8e42]
+sid: released (4.9.16-1)
+3.16-jessie-security: released (3.16.43-1) [bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch]
+3.2-wheezy-security: released (3.2.88-1) [bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch]