Retire many issues now released (or N/A or ignored) in all branches

git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@5001 e094ebfe-e918-0410-adfb-c712417f3574

29 files changed, 389 insertions, 0 deletions

diff --git a/retired/CVE-2012-6704 b/retired/CVE-2012-6704
new file mode 100644
index 00000000..38f08b67
--- /dev/null
+++ b/retired/CVE-2012-6704
@@ -0,0 +1,22 @@
+Description: net: Negative socket receive buffer size permitted
+References:
+Notes:
+ bwh> Prior to commit 82981930125a "net: cleanups in sock_setsockopt()":
+ bwh> - The comparison with SOCK_MIN_SNDBUF used type int, so it
+ bwh>   rejected negative values
+ bwh> - The comparison with SOCK_MIN_RCVBUF used type size_t, so it did
+ bwh>   *not* reject negative values
+ bwh> - The comparisons of val with sysctl_wmem_max used type u32, so
+ bwh>   they rejected negative values *unless* sysctl_wmem_max >=
+ bwh>   1 << 30 (and why would you set it that high?!)
+ bwh> So it was possible to set a negative value for sock::sk_rcvbuf
+ bwh> through SO_RCVBUFFORCE (escalation from CAP_NET_ADMIN to kernel)
+ bwh> or through SO_RCVBUF (escalation from user to kernel) iff
+ bwh> sysctl_wmem_max was large enough.
+Bugs:
+upstream: released (3.5-rc1) [82981930125abfd39d7c8378a9cfdf5e1be2002b]
+3.16-upstream-stable: N/A "Fixed before initial 3.16 release"
+3.2-upstream-stable: released (3.2.85) [net-cleanups-in-sock_setsockopt.patch]
+sid: released (3.8.11-1)
+3.16-jessie-security: N/A "Fixed before initial 3.16 release"
+3.2-wheezy-security: released (3.2.84-1) [bugfix/all/net-cleanups-in-sock_setsockopt.patch]
diff --git a/retired/CVE-2014-9888 b/retired/CVE-2014-9888
new file mode 100644
index 00000000..38027afd
--- /dev/null
+++ b/retired/CVE-2014-9888
@@ -0,0 +1,13 @@
+Description: arch/arm/mm/dma-mapping.c in the Linux kernel before 3.13 on ARM platforms, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not prevent executable DMA mappings, which might allow local users to gain privileges via a crafted application, aka Android internal bug 28803642 and Qualcomm internal bug CR642735. 
+References:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9888
+ http://source.android.com/security/bulletin/2016-08-01.html
+ https://source.codeaurora.org/quic/la/kernel/msm/commit/?id=f044936caab337a4384fbfe64a4cbae33c7e22a1 
+Notes:
+Bugs:
+upstream: released (3.13-rc1) [0ea1ec713f04bdfac343c9702b21cd3a7c711826]
+3.16-upstream-stable: N/A
+3.2-upstream-stable: released (3.2.85) [arm-dma-mapping-don-t-allow-dma-mappings-to-be-marked-executable.patch]
+sid: released (3.13.4-1)
+3.16-jessie-security: N/A
+3.2-wheezy-security: released (3.2.84-2) [bugfix/arm/arm-dma-mapping-don-t-allow-dma-mappings-to-be-marked-executable.patch]
diff --git a/retired/CVE-2014-9895 b/retired/CVE-2014-9895
new file mode 100644
index 00000000..a7a47a42
--- /dev/null
+++ b/retired/CVE-2014-9895
@@ -0,0 +1,12 @@
+Description:
+References:
+ http://source.android.com/security/bulletin/2016-08-01.html
+ https://source.codeaurora.org/quic/la/kernel/msm/commit/?id=cc4b26575602e492efd986e9a6ffc4278cee53b5
+Notes:
+Bugs:
+upstream: released (3.11-rc1) [c88e739b1fad662240e99ecbd0bdaac871717987]
+3.16-upstream-stable: N/A
+3.2-upstream-stable: released (3.2.85) [media-info-leak-in-__media_device_enum_links.patch]
+sid: released (3.11.5-1)
+3.16-jessie-security: N/A
+3.2-wheezy-security: released (3.2.84-2) [bugfix/all/media-info-leak-in-__media_device_enum_links.patch]
diff --git a/retired/CVE-2014-9914 b/retired/CVE-2014-9914
new file mode 100644
index 00000000..ce5d3c27
--- /dev/null
+++ b/retired/CVE-2014-9914
@@ -0,0 +1,11 @@
+Description: Race condition in the ip4_datagram_release_cb function in net/ipv4/datagram.c
+References:
+ http://source.android.com/security/bulletin/2017-02-01.html
+Notes:
+Bugs:
+upstream: released (3.16-rc1) [9709674e68646cee5a24e3000b3558d25412203a]
+3.16-upstream-stable: N/A 
+3.2-upstream-stable: N/A "Introduced in 3.8-rc6 with 8141ed9fcedb278f4a3a78680591bef1e55f75fb"
+sid: released (3.16.2-1)
+3.16-jessie-security: N/A
+3.2-wheezy-security: N/A "Vulnerable code not present"
diff --git a/retired/CVE-2015-8962 b/retired/CVE-2015-8962
new file mode 100644
index 00000000..466d9bbd
--- /dev/null
+++ b/retired/CVE-2015-8962
@@ -0,0 +1,10 @@
+Description: Double-free in sg driver after hot-unplug during I/O
+References:
+Notes:
+Bugs:
+upstream: released (4.4-rc1) [f3951a3709ff50990bf3e188c27d346792103432]
+3.16-upstream-stable: released (3.16.40) [sg-fix-double-free-when-drives-detach-during-sg_io.patch]
+3.2-upstream-stable: released (3.2.85) [sg-fix-double-free-when-drives-detach-during-sg_io.patch]
+sid: released (4.4.2-1)
+3.16-jessie-security: released (3.16.39-1) [bugfix/all/sg-fix-double-free-when-drives-detach-during-sg_io.patch]
+3.2-wheezy-security: released (3.2.84-1) [bugfix/all/sg-fix-double-free-when-drives-detach-during-sg_io.patch]
diff --git a/retired/CVE-2015-8963 b/retired/CVE-2015-8963
new file mode 100644
index 00000000..ee515a90
--- /dev/null
+++ b/retired/CVE-2015-8963
@@ -0,0 +1,10 @@
+Description: Use-after-free in perf subsystem after CPU hot-unplug
+References:
+Notes:
+Bugs:
+upstream: released (4.4) [12ca6ad2e3a896256f086497a7c7406a547ee373]
+3.16-upstream-stable: released (3.16.40) [perf-fix-race-in-swevent-hash.patch]
+3.2-upstream-stable: released (3.2.85) [perf-fix-race-in-swevent-hash.patch]
+sid: released (4.4.2-1)
+3.16-jessie-security: released (3.16.39-1) [bugfix/all/perf-fix-race-in-swevent-hash.patch]
+3.2-wheezy-security: released (3.2.84-1) [bugfix/all/perf-fix-race-in-swevent-hash.patch]
diff --git a/retired/CVE-2015-8964 b/retired/CVE-2015-8964
new file mode 100644
index 00000000..97e0f859
--- /dev/null
+++ b/retired/CVE-2015-8964
@@ -0,0 +1,18 @@
+Description: Potential information leak or use-after-free in tty subsystem
+References:
+ https://source.android.com/security/bulletin/2016-11-01.html
+Notes:
+ bwh> A known use-after-free bug in N_X25 has already been fixed
+ bwh> (commit ee9159ddce14, no CVE assigned).  The Android security
+ bwh> bulletin says this fixes an information leak, presumably because
+ bwh> if receive_room is too large it will permit reading beyond a
+ bwh> buffer.  We also need commit fd98e9419d8d ("isdn/gigaset: reset
+ bwh> tty->receive_room when attaching ser_gigaset") to avoid a
+ bwh> regression.
+Bugs:
+upstream: released (4.5-rc1) [dd42bf1197144ede075a9d4793123f7689e164bc]
+3.16-upstream-stable: released (3.16.40) [tty-prevent-ldisc-drivers-from-re-using-stale-tty-fields.patch]
+3.2-upstream-stable: released (3.2.85) [tty-prevent-ldisc-drivers-from-re-using-stale-tty-fields.patch]
+sid: released (4.5.1-1)
+3.16-jessie-security: released (3.16.39-1) [bugfix/all/tty-prevent-ldisc-drivers-from-re-using-stale-tty-fi.patch]
+3.2-wheezy-security: released (3.2.84-1) [bugfix/all/tty-prevent-ldisc-drivers-from-re-using-stale-tty-fi.patch]
diff --git a/retired/CVE-2016-10088 b/retired/CVE-2016-10088
new file mode 100644
index 00000000..31fdb7c8
--- /dev/null
+++ b/retired/CVE-2016-10088
@@ -0,0 +1,15 @@
+Description: Memory corruption in SCSI generic device interface
+References:
+ https://marc.info/?l=linux-scsi&m=148010092224801&w=2
+ https://gist.githubusercontent.com/dvyukov/80cd94b4e4c288f16ee4c787d404118b/raw/10536069562444da51b758bb39655b514ff93b45/gistfile1.txt
+ http://www.openwall.com/lists/oss-security/2016/12/30/1
+Notes:
+ bwh> This is the vulnerabilbility left after fixing CVE-2016-9576.
+Bugs:
+upstream: released (4.10-rc1) [128394eff343fc6d2f32172f03e24829539c5835]
+4.9-upstream-stable: released (4.9.2) [3f3a6bbe6f9f5e895d8945494173594ee51632da]
+3.16-upstream-stable: released (3.16.40) [sg_write-bsg_write-is-not-fit-to-be-called-under-kernel_ds.patch]
+3.2-upstream-stable: released (3.2.85) [sg_write-bsg_write-is-not-fit-to-be-called-under-kernel_ds.patch]
+sid: released (4.8.15-2) [bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-KER.patch]
+3.16-jessie-security: released (3.16.39-1) [bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch]
+3.2-wheezy-security: released (3.2.84-1) [bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch]
diff --git a/retired/CVE-2016-6786 b/retired/CVE-2016-6786
new file mode 100644
index 00000000..1fc23400
--- /dev/null
+++ b/retired/CVE-2016-6786
@@ -0,0 +1,12 @@
+Description: Possible privilege escalation due to lack of locking around changing event->ctx
+References:
+Notes:
+ bwh> The upstream fix was not complete; see CVE-2017-6001
+Bugs:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1403842
+upstream: released (4.0-rc1) [f63a8daa5812afef4f06c962351687e1ff9ccb2b]
+3.16-upstream-stable: released (3.16.40) [perf-fix-event-ctx-locking.patch]
+3.2-upstream-stable: released (3.2.85) [perf-fix-event-ctx-locking.patch]
+sid: released (4.0.2-1)
+3.16-jessie-security: released (3.16.39-1+deb8u1) [bugfix/all/perf-Fix-event-ctx-locking.patch]
+3.2-wheezy-security: released (3.2.84-2) [bugfix/all/perf-fix-event-ctx-locking.patch]
diff --git a/retired/CVE-2016-6787 b/retired/CVE-2016-6787
new file mode 100644
index 00000000..1fc23400
--- /dev/null
+++ b/retired/CVE-2016-6787
@@ -0,0 +1,12 @@
+Description: Possible privilege escalation due to lack of locking around changing event->ctx
+References:
+Notes:
+ bwh> The upstream fix was not complete; see CVE-2017-6001
+Bugs:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1403842
+upstream: released (4.0-rc1) [f63a8daa5812afef4f06c962351687e1ff9ccb2b]
+3.16-upstream-stable: released (3.16.40) [perf-fix-event-ctx-locking.patch]
+3.2-upstream-stable: released (3.2.85) [perf-fix-event-ctx-locking.patch]
+sid: released (4.0.2-1)
+3.16-jessie-security: released (3.16.39-1+deb8u1) [bugfix/all/perf-Fix-event-ctx-locking.patch]
+3.2-wheezy-security: released (3.2.84-2) [bugfix/all/perf-fix-event-ctx-locking.patch]
diff --git a/retired/CVE-2016-7911 b/retired/CVE-2016-7911
new file mode 100644
index 00000000..9b57dbf0
--- /dev/null
+++ b/retired/CVE-2016-7911
@@ -0,0 +1,11 @@
+Description: Use-after-free in ioprio_get() implementation
+References:
+Notes:
+ bwh> Implementation was in fs/ioprio.c before v3.16
+Bugs:
+upstream: released (4.7-rc7) 8ba8682107ee2ca3347354e018865d8e1967c5f4]
+3.16-upstream-stable: released (3.16.37)
+3.2-upstream-stable: released (3.2.85) [block-fix-use-after-free-in-sys_ioprio_get.patch]
+sid: released (4.7.2-1)
+3.16-jessie-security: released (3.16.39-1)
+3.2-wheezy-security: released (3.2.84-1) [bugfix/all/block-fix-use-after-free-in-sys_ioprio_get.patch]
diff --git a/retired/CVE-2016-7912 b/retired/CVE-2016-7912
new file mode 100644
index 00000000..5f7d3bc5
--- /dev/null
+++ b/retired/CVE-2016-7912
@@ -0,0 +1,12 @@
+Description: Use-after-free in USB gadget functionfs
+References:
+Notes:
+ carnil> Introduced in 3.15-rc1 with 2e4c7553cd6f9c68bb741582dcb614edcbeca70f
+ carnil> but might have been backported.
+Bugs:
+upstream: released (4.6-rc5) [38740a5b87d53ceb89eb2c970150f6e94e00373a]
+3.16-upstream-stable: released (3.16.40) [usb-gadget-f_fs-fix-use-after-free.patch]
+3.2-upstream-stable: N/A "Vulnerable code not present"
+sid: released (4.5.3-1)
+3.16-jessie-security: released (3.16.39-1) [bugfix/all/usb-gadget-f_fs-fix-use-after-free.patch]
+3.2-wheezy-security: N/A "Vulnerable code not present"
diff --git a/retired/CVE-2016-7915 b/retired/CVE-2016-7915
new file mode 100644
index 00000000..94fb1504
--- /dev/null
+++ b/retired/CVE-2016-7915
@@ -0,0 +1,10 @@
+Description: Out-of-bounds read in hid-core
+References:
+Notes:
+Bugs:
+upstream: released (4.6-rc1) [50220dead1650609206efe91f0cc116132d59b3f]
+3.16-upstream-stable: released (3.16.40) [hid-core-prevent-out-of-bound-readings.patch]
+3.2-upstream-stable: released (3.2.85) [hid-core-prevent-out-of-bound-readings.patch]
+sid: released (4.6.1-1)
+3.16-jessie-security: released (3.16.39-1) [bugfix/all/hid-core-prevent-out-of-bound-readings.patch]
+3.2-wheezy-security: released (3.2.84-1) [bugfix/all/hid-core-prevent-out-of-bound-readings.patch]
diff --git a/retired/CVE-2016-7917 b/retired/CVE-2016-7917
new file mode 100644
index 00000000..78f54448
--- /dev/null
+++ b/retired/CVE-2016-7917
@@ -0,0 +1,19 @@
+Description:
+ The nfnetlink_rcv_batch function in net/netfilter/nfnetlink.c in the Linux kernel before 4.5 does
+ not check whether a batch message's length field is large enough, which allows local users to
+ obtain sensitive information from kernel memory or cause a denial of service (infinite loop or
+ out-of-bounds read) by leveraging the CAP_NET_ADMIN capability. 
+References:
+ http://source.android.com/security/bulletin/2016-11-01.html
+Notes:
+ carnil> Introduced in 3.19-rc5 with 9ea2aa8b7dba9e99544c4187cc298face254569f but needs double
+ carnil> check if backported.
+ bwh> It was backported to 3.16-stable as commit d922a1cee45e (among other
+ bwh> stable branches)
+Bugs:
+upstream: released (4.5-rc6) [c58d6c93680f28ac58984af61d0a7ebf4319c241]
+3.16-upstream-stable: released (3.16.40) [netfilter-nfnetlink-correctly-validate-length-of-batch-messages.patch]
+3.2-upstream-stable: N/A "Vulnerable code not present"
+sid: released (4.5.1-1)
+3.16-jessie-security: released (3.16.39-1) [bugfix/all/netfilter-nfnetlink-correctly-validate-length-of-bat.patch]
+3.2-wheezy-security: N/A "Vulnerable code not present"
diff --git a/retired/CVE-2016-8399 b/retired/CVE-2016-8399
new file mode 100644
index 00000000..1809fffd
--- /dev/null
+++ b/retired/CVE-2016-8399
@@ -0,0 +1,13 @@
+Description: net: ping: check minimum size on ICMP header length
+References:
+Notes:
+ bwh> Access to ping sockets is limited to a range of groups, defaulting
+ bwh> to an empty range.  As Debian's ping still uses raw sockets, we
+ bwh> don't change that default and this is not exploitable.
+Bugs:
+upstream: released (4.9) [0eab121ef8750a5c8637d51534d5e9143fb0633f]
+3.16-upstream-stable: released (3.16.40) [net-ping-check-minimum-size-on-icmp-header-length.patch]
+3.2-upstream-stable: released (3.2.85) [net-ping-check-minimum-size-on-icmp-header-length.patch]
+sid: released (4.8.15-1)
+3.16-jessie-security: released (3.16.39-1) [bugfix/all/net-ping-check-minimum-size-on-icmp-header-length.patch]
+3.2-wheezy-security: released (3.2.84-1) [bugfix/all/net-ping-check-minimum-size-on-icmp-header-length.patch]
diff --git a/retired/CVE-2016-8405 b/retired/CVE-2016-8405
new file mode 100644
index 00000000..854a117b
--- /dev/null
+++ b/retired/CVE-2016-8405
@@ -0,0 +1,11 @@
+Description: fbdev: color map copying bounds checking
+References:
+Notes:
+Bugs:
+upstream: released (4.10-rc6) [2dc705a9930b4806250fbf5a76e55266e59389f2]
+4.9-upstream-stable: released (4.9.7) [544160b6ea18670196d1173c099f2cced5075132]
+3.16-upstream-stable: released (3.16.40) [fbdev-color-map-copying-bounds-checking.patch]
+3.2-upstream-stable: released (3.2.85) [fbdev-color-map-copying-bounds-checking.patch]
+sid: released (4.9.6-1) [bugfix/all/fbdev-color-map-coying-bounds-checking.patch]
+3.16-jessie-security: released (3.16.39-1+deb8u1) [bugfix/all/fbdev-color-map-copying-bounds-checking.patch]
+3.2-wheezy-security: released (3.2.84-2) [bugfix/all/fbdev-color-map-copying-bounds-checking.patch]
diff --git a/retired/CVE-2016-8636 b/retired/CVE-2016-8636
new file mode 100644
index 00000000..2873ad81
--- /dev/null
+++ b/retired/CVE-2016-8636
@@ -0,0 +1,12 @@
+Description: IB/rxe: mem_check_range integer overflow 
+References:
+ https://eyalitkin.wordpress.com/2017/02/11/cve-publication-cve-2016-8636/
+Notes:
+Bugs:
+upstream: released (4.10-rc8) [647bf3d8a8e5777319da92af672289b2a6c4dc66]
+4.9-upstream-stable: released (4.9.10) [b7dd5edc3dd9191f2cb1bd508279b0ff7274c5aa]
+3.16-upstream-stable: N/A "Vulnerable code not present, introduced in 4.8"
+3.2-upstream-stable: N/A "Vulnerable code not present, introduced in 4.8"
+sid: released (4.9.10-1)
+3.16-jessie-security: N/A "Vulnerable code not present, introduced in 4.8"
+3.2-wheezy-security: N/A "Vulnerable code not present, introduced in 4.8"
diff --git a/retired/CVE-2016-8645 b/retired/CVE-2016-8645
new file mode 100644
index 00000000..1f1158c4
--- /dev/null
+++ b/retired/CVE-2016-8645
@@ -0,0 +1,25 @@
+Description: net: a BUG() statement can be hit in net/ipv4/tcp_input.c
+References:
+ http://www.spinics.net/lists/stable/msg150470.html
+ http://www.spinics.net/lists/netdev/msg403701.html
+ http://marc.info/?l=linux-netdev&m=147878925724283&w=2
+ http://marc.info/?t=147878927800005&r=1&w=2 # the whole thread
+ https://bugzilla.redhat.com/show_bug.cgi?id=1393904
+ http://marc.info/?l=linux-netdev&m=147881188232264&w=2
+ http://marc.info/?t=147881111500001&r=1&w=2&n=2 # the whole thread
+ http://marc.info/?l=linux-netdev&m=147881236332369&w=2 # patch v2
+ http://www.spinics.net/lists/netdev/msg403787.html
+ http://www.spinics.net/lists/netdev/msg403789.html # patch v2
+Notes:
+ carnil> Issue introduced with the tcp-fastopen feature. Cf.
+ carnil> http://www.openwall.com/lists/oss-security/2016/11/30/3
+ carnil> Introduced in 3.6-rc1 with cf60af03ca4e71134206809ea892e49b92a88896
+ bwh> Eric Dumazet disputes that tcp-fastopen introduced the issue.
+ bwh> Only the specific case found by syzkaller seems to depend on it.
+Bugs:
+upstream: released (4.9-rc6) [ac6e780070e30e4c35bd395acfe9191e6268bdd3]
+3.16-upstream-stable: released (3.16.40) [tcp-take-care-of-truncations-done-by-sk_filter.patch]
+3.2-upstream-stable: released (3.2.85) [tcp-take-care-of-truncations-done-by-sk_filter.patch]
+sid: released (4.8.11-1) [2b5f22e4f7fd208c8d392e5c3755cea1f562cb98]
+3.16-jessie-security: released (3.16.39-1) [bugfix/all/tcp-take-care-of-truncations-done-by-sk_filter.patch]
+3.2-wheezy-security: released (3.2.84-1) [bugfix/all/tcp-take-care-of-truncations-done-by-sk_filter.patch]
diff --git a/retired/CVE-2016-8650 b/retired/CVE-2016-8650
new file mode 100644
index 00000000..14cf9f69
--- /dev/null
+++ b/retired/CVE-2016-8650
@@ -0,0 +1,12 @@
+Description: Null pointer dereference via keyctl
+References:
+ https://lkml.org/lkml/2016/11/23/477
+ http://seclists.org/fulldisclosure/2016/Nov/76
+Notes:
+Bugs:
+upstream: released (4.9-rc7) [f5527fffff3f002b0a6b376163613b82f69de073]
+3.16-upstream-stable: released (3.16.40) [mpi-fix-null-ptr-dereference-in-mpi_powm.patch]
+3.2-upstream-stable: N/A "Vulnerable code introduced in 3.3-rc1 with cdec9cb5167ab1113ba9c58e395f664d9d3f9acb"
+sid: released (4.8.11-1) [bugfix/all/mpi-Fix-NULL-ptr-dereference-in-mpi_powm-ver-3.patch]
+3.16-jessie-security: released (3.16.39-1) [bugfix/all/mpi-fix-null-ptr-dereference-in-mpi_powm-ver-3.patch]
+3.2-wheezy-security: N/A "Vulnerable code not present"
diff --git a/retired/CVE-2016-8655 b/retired/CVE-2016-8655
new file mode 100644
index 00000000..5b6228df
--- /dev/null
+++ b/retired/CVE-2016-8655
@@ -0,0 +1,14 @@
+Description: Linux af_packet.c race condition
+References:
+ http://www.openwall.com/lists/oss-security/2016/12/06/1
+Notes:
+ carnil> Introduced in 3.2-rc1 with f6fb8f100b807378fda19e83e5ac6828b638603a
+ bwh> But AF_PACKET is only usable with CAP_NET_RAW, so is not so serious a
+ bwh> vulnerability without unprivileged user namespaces enabled.
+Bugs:
+upstream: released (4.9-rc8) [84ac7260236a49c79eede91617700174c2c19b0c]
+3.16-upstream-stable: released (3.16.40) [packet-fix-race-condition-in-packet_set_ring.patch]
+3.2-upstream-stable: released (3.2.85) [packet-fix-race-condition-in-packet_set_ring.patch]
+sid: released (4.8.15-1)
+3.16-jessie-security: released (3.16.39-1) [bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch]
+3.2-wheezy-security: released (3.2.84-1) [bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch]
diff --git a/retired/CVE-2016-9120 b/retired/CVE-2016-9120
new file mode 100644
index 00000000..1809b39f
--- /dev/null
+++ b/retired/CVE-2016-9120
@@ -0,0 +1,10 @@
+Description: Race condition in Android ion_ioctl function
+References:
+Notes:
+Bugs:
+upstream: released (4.6-rc1) [9590232bb4f4cc824f3425a6e1349afbe6d6d2b7]
+3.16-upstream-stable: released (3.16.40) [staging-android-ion-fix-a-race-condition-in-the-ion-driver.patch]
+3.2-upstream-stable: N/A "Vulnerable code not present"
+sid: released (4.6.1-1)
+3.16-jessie-security: ignored "Debian is not Android"
+3.2-wheezy-security: N/A "Vulnerable code not present"
diff --git a/retired/CVE-2016-9178 b/retired/CVE-2016-9178
new file mode 100644
index 00000000..54181c77
--- /dev/null
+++ b/retired/CVE-2016-9178
@@ -0,0 +1,17 @@
+Description: minor information leak in get_user_ex()
+References:
+Notes:
+ carnil> If this issue is fixed, then one needs to assure
+ carnil> to not introduce the privilege escalation issue
+ carnil> as present in 4.4.22 through 4.4.28 (cf.
+ carnil> CVE-2016-9644) due to a wrong backport/missing
+ carnil> backport of 548acf19234dbda5a52d5a8e7e205af46e9da840
+ carnil> as well. See notes in CVE-2016-9644
+ jmm> Linus prepared a backport for 4.4.31: dc1555e670c373bfa4ca2e1e2f839d5fe2b4501a
+Bugs:
+upstream: released (4.8-rc7) [1c109fabbd51863475cd12ac206bdd249aee35af]
+3.16-upstream-stable: released (3.16.40) [fix-potential-infoleak-in-older-kernels.patch]
+3.2-upstream-stable: released (3.2.85) [fix-potential-infoleak-in-older-kernels.patch]
+sid: released (4.7.5-1)
+3.16-jessie-security: released (3.16.39-1) [bugfix/x86/fix-potential-infoleak-in-older-kernels.patch]
+3.2-wheezy-security: released (3.2.84-1) [bugfix/x86/fix-potential-infoleak-in-older-kernels.patch]
diff --git a/retired/CVE-2016-9191 b/retired/CVE-2016-9191
new file mode 100644
index 00000000..c540c324
--- /dev/null
+++ b/retired/CVE-2016-9191
@@ -0,0 +1,13 @@
+Description: local DoS with cgroup offline code
+References:
+ http://www.openwall.com/lists/oss-security/2016/11/04/13
+Notes:
+ Introduced with f0c3b5093addc8bfe9fe3a5b01acb7ec7969eafa in 3.11-rc1
+Bugs:
+upstream: released (4.10-rc4) [93362fa47fe98b62e4a34ab408c4a418432e7939]
+4.9-upstream-stable: released (4.9.5) [00cf64fbaa1e99d0420f2934f301c671ba298342]
+3.16-upstream-stable: released (3.16.40) [sysctl-drop-reference-added-by-grab_header-in-proc_sys_readdir.patch]
+3.2-upstream-stable: N/A "Vulnerable code introduced in 3.11-rc1"
+sid: released (4.9.6-1)
+3.16-jessie-security: released (3.16.39-1+deb8u1) [bugfix/all/sysctl-drop-reference-added-by-grab_header-in-proc_sys_readdir.patch]
+3.2-wheezy-security: N/A "Vulnerable code not present"
diff --git a/retired/CVE-2016-9555 b/retired/CVE-2016-9555
new file mode 100644
index 00000000..7270e36d
--- /dev/null
+++ b/retired/CVE-2016-9555
@@ -0,0 +1,10 @@
+Description: net/sctp: slab-out-of-bounds in sctp_sf_ootb
+References:
+Notes:
+Bugs:
+upstream: released (4.9-rc4) [bf911e985d6bbaa328c20c3e05f4eb03de11fdd6]
+3.16-upstream-stable: released (3.16.40) [sctp-validate-chunk-len-before-actually-using-it.patch]
+3.2-upstream-stable: released (3.2.85) [sctp-validate-chunk-len-before-actually-using-it.patch]
+sid: released (4.8.11-1)
+3.16-jessie-security: released (3.16.39-1) [bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch]
+3.2-wheezy-security: released (3.2.84-1) [bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch]
diff --git a/retired/CVE-2016-9576 b/retired/CVE-2016-9576
new file mode 100644
index 00000000..0e72544b
--- /dev/null
+++ b/retired/CVE-2016-9576
@@ -0,0 +1,18 @@
+Description: Memory corruption in SCSI generic device interface
+References:
+ https://marc.info/?l=linux-scsi&m=148010092224801&w=2
+ https://gist.githubusercontent.com/dvyukov/80cd94b4e4c288f16ee4c787d404118b/raw/10536069562444da51b758bb39655b514ff93b45/gistfile1.txt
+Notes:
+ bwh> This CVE is for the vulnerability fixed by commit a0ac402cfcdc
+ bwh> "Don't feed anything but regular iovec's to blk_rq_map_user_iov",
+ bwh> but that only addresses half the problem.  The remaining issue is
+ bwh> covered by CVE-2016-10088, and commit 128394eff343 "sg_write()/
+ bwh> bsg_write() is not fit to be called under KERNEL_DS" is a
+ bwh> complete fix for both CVEs.
+Bugs:
+upstream: released (4.9) [a0ac402cfcdc904f9772e1762b3fda112dcc56a0]
+3.16-upstream-stable: released (3.16.40) [sg_write-bsg_write-is-not-fit-to-be-called-under-kernel_ds.patch]
+3.2-upstream-stable: released (3.2.85) [sg_write-bsg_write-is-not-fit-to-be-called-under-kernel_ds.patch]
+sid: released (4.8.15-1)
+3.16-jessie-security: released (3.16.39-1) [bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch]
+3.2-wheezy-security: released (3.2.84-1) [bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch]
diff --git a/retired/CVE-2016-9756 b/retired/CVE-2016-9756
new file mode 100644
index 00000000..f550eaf1
--- /dev/null
+++ b/retired/CVE-2016-9756
@@ -0,0 +1,11 @@
+Description: kvm: stack memory information leakage
+References:
+Notes:
+Bugs:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1400468
+upstream: released (4.9-rc7) [2117d5398c81554fbf803f5fd1dc55eb78216c0c]
+3.16-upstream-stable: released (3.16.40) [kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret_far.patch]
+3.2-upstream-stable: released (3.2.85) [kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret_far.patch]
+sid: released (4.8.15-1)
+3.16-jessie-security: released (3.16.39-1) [bugfix/x86/kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret.patch]
+3.2-wheezy-security: released (3.2.84-1) [bugfix/x86/kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret.patch]
diff --git a/retired/CVE-2016-9793 b/retired/CVE-2016-9793
new file mode 100644
index 00000000..9c6b1314
--- /dev/null
+++ b/retired/CVE-2016-9793
@@ -0,0 +1,13 @@
+Description: signed overflows for SO_{SND|RCV}BUFFORCE
+References:
+Notes:
+ bwh> Introduced in 3.5 by commit 82981930125a "net: cleanups in
+ bwh> sock_setsockopt()".  But that should be applied to the 3.2 branches
+ bwh> to fix CVE-2012-6704, so this will be needed on those branches too.
+Bugs:
+upstream: released (4.9-rc8) [b98b0bc8c431e3ceb4b26b0dfc8db509518fb290]
+3.16-upstream-stable: released (3.16.40) [net-avoid-signed-overflows-for-so_-snd-rcv-bufforce.patch]
+3.2-upstream-stable: released (3.2.85) [net-avoid-signed-overflows-for-so_-snd-rcv-bufforce.patch]
+sid: released (4.8.15-1)
+3.16-jessie-security: released (3.16.39-1) [bugfix/all/net-avoid-signed-overflows-for-so_-snd-rcv-bufforce.patch]
+3.2-wheezy-security: released (3.2.84-1) [bugfix/all/net-avoid-signed-overflows-for-so_-snd-rcv-bufforce.patch]
diff --git a/retired/CVE-2016-9794 b/retired/CVE-2016-9794
new file mode 100644
index 00000000..720d892d
--- /dev/null
+++ b/retired/CVE-2016-9794
@@ -0,0 +1,10 @@
+Description: ALSA: use-after-free in,kill_fasync
+References:
+Notes:
+Bugs:
+upstream: released (4.7-rc1) [3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4]
+3.16-upstream-stable: released (3.16.40) [alsa-pcm-call-kill_fasync-in-stream-lock.patch]
+3.2-upstream-stable: released (3.2.85) [alsa-pcm-call-kill_fasync-in-stream-lock.patch]
+sid: released (4.7.2-1)
+3.16-jessie-security: released (3.16.39-1) [bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch]
+3.2-wheezy-security: released (3.2.84-1) [bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch]
diff --git a/retired/CVE-2017-6001 b/retired/CVE-2017-6001
new file mode 100644
index 00000000..cb3f940e
--- /dev/null
+++ b/retired/CVE-2017-6001
@@ -0,0 +1,13 @@
+Description: Possible privilege escalation due to lack of locking around changing event->ctx
+References:
+Notes:
+ bwh> This is left over from an incomplete fix for CVE-2016-6786.
+ bwh> Note dependency on commit 130056275ade "perf: Do not double free".
+Bugs:
+upstream: released (4.10-rc4) [321027c1fe77f892f4ea07846aeae08cefbbb290]
+4.9-upstream-stable: released (4.9.7) [922813f4d66fb317e8602d058d03a1619af1ffd0]
+3.16-upstream-stable: released (3.16.40) [perf-core-fix-concurrent-sys_perf_event_open-vs.-move_group-race.patch]
+3.2-upstream-stable: released (3.2.85) [perf-core-fix-concurrent-sys_perf_event_open-vs.-move_group-race.patch]
+sid: released (4.9.10-1)
+3.16-jessie-security: released (3.16.39-1+deb8u1) [bugfix/all/perf-core-Fix-concurrent-sys_perf_event_open-vs.-mov.patch]
+3.2-wheezy-security: released (3.2.84-2) [bugfix/all/perf-core-fix-concurrent-sys_perf_event_open-vs.-mov.patch]