From 1384bd50ccd37fb18532fa3a70c0b3eee7ec583f Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 18 Aug 2022 16:11:01 +0200
Subject: Retire two CVEs

---
 active/CVE-2022-21505  | 16 ----------------
 active/CVE-2022-2503   | 11 -----------
 retired/CVE-2022-21505 | 16 ++++++++++++++++
 retired/CVE-2022-2503  | 11 +++++++++++
 4 files changed, 27 insertions(+), 27 deletions(-)
 delete mode 100644 active/CVE-2022-21505
 delete mode 100644 active/CVE-2022-2503
 create mode 100644 retired/CVE-2022-21505
 create mode 100644 retired/CVE-2022-2503

diff --git a/active/CVE-2022-21505 b/active/CVE-2022-21505
deleted file mode 100644
index 8ddce2e5..00000000
--- a/active/CVE-2022-21505
+++ /dev/null
@@ -1,16 +0,0 @@
-Description: Kernel lockdown bypass bug
-References:
- https://www.openwall.com/lists/oss-security/2022/07/19/4
-Notes:
- carnil> Released as well in 5.18.15 for 5.18.y.
- carnil> Commit fixes 29d3c1c8dfe7 ("kexec: Allow kexec_file() with
- carnil> appropriate IMA policy when locked down") in 5.4-rc1.
- carnil> CONFIG_IMA was only re-enabled in Debian in 5.13.9-1~exp1
- carnil> and the issue does not affect bullseye's built binary packages.
-Bugs:
-upstream: released (5.19-rc8) [543ce63b664e2c2f9533d089a4664b559c3e6b5b]
-5.10-upstream-stable: released (5.10.134) [ab5050fd7430dde3a9f073129036d3da3facc8ec]
-4.19-upstream-stable: N/A "Vulnerable code introduced later"
-sid: released (5.18.16-1)
-5.10-bullseye-security: released (5.10.136-1)
-4.19-buster-security: N/A "Vulnerable code introduced later"
diff --git a/active/CVE-2022-2503 b/active/CVE-2022-2503
deleted file mode 100644
index 69528be6..00000000
--- a/active/CVE-2022-2503
+++ /dev/null
@@ -1,11 +0,0 @@
-Description: dm verity: set DM_TARGET_IMMUTABLE feature flag
-References:
- https://github.com/google/security-research/security/advisories/GHSA-6vq3-w69p-w63m
-Notes:
-Bugs:
-upstream: released (5.19-rc1) [4caae58406f8ceb741603eee460d79bacca9b1b5]
-5.10-upstream-stable: released (5.10.120) [8df42bcd364cc3b41105215d841792aea787b133]
-4.19-upstream-stable: released (4.19.246) [6bff6107d1364c95109609c3fd680e6c8d7fa503]
-sid: released (5.18.2-1)
-5.10-bullseye-security: released (5.10.120-1)
-4.19-buster-security: released (4.19.249-1)
diff --git a/retired/CVE-2022-21505 b/retired/CVE-2022-21505
new file mode 100644
index 00000000..8ddce2e5
--- /dev/null
+++ b/retired/CVE-2022-21505
@@ -0,0 +1,16 @@
+Description: Kernel lockdown bypass bug
+References:
+ https://www.openwall.com/lists/oss-security/2022/07/19/4
+Notes:
+ carnil> Released as well in 5.18.15 for 5.18.y.
+ carnil> Commit fixes 29d3c1c8dfe7 ("kexec: Allow kexec_file() with
+ carnil> appropriate IMA policy when locked down") in 5.4-rc1.
+ carnil> CONFIG_IMA was only re-enabled in Debian in 5.13.9-1~exp1
+ carnil> and the issue does not affect bullseye's built binary packages.
+Bugs:
+upstream: released (5.19-rc8) [543ce63b664e2c2f9533d089a4664b559c3e6b5b]
+5.10-upstream-stable: released (5.10.134) [ab5050fd7430dde3a9f073129036d3da3facc8ec]
+4.19-upstream-stable: N/A "Vulnerable code introduced later"
+sid: released (5.18.16-1)
+5.10-bullseye-security: released (5.10.136-1)
+4.19-buster-security: N/A "Vulnerable code introduced later"
diff --git a/retired/CVE-2022-2503 b/retired/CVE-2022-2503
new file mode 100644
index 00000000..69528be6
--- /dev/null
+++ b/retired/CVE-2022-2503
@@ -0,0 +1,11 @@
+Description: dm verity: set DM_TARGET_IMMUTABLE feature flag
+References:
+ https://github.com/google/security-research/security/advisories/GHSA-6vq3-w69p-w63m
+Notes:
+Bugs:
+upstream: released (5.19-rc1) [4caae58406f8ceb741603eee460d79bacca9b1b5]
+5.10-upstream-stable: released (5.10.120) [8df42bcd364cc3b41105215d841792aea787b133]
+4.19-upstream-stable: released (4.19.246) [6bff6107d1364c95109609c3fd680e6c8d7fa503]
+sid: released (5.18.2-1)
+5.10-bullseye-security: released (5.10.120-1)
+4.19-buster-security: released (4.19.249-1)
-- 
cgit v1.2.3