From 1b7c12bf66dd8a6456df8a4297d4d6f753fce144 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 2 Oct 2021 00:53:19 +0200 Subject: Fill in status for some recent issues --- active/CVE-2021-32078 | 7 +++++-- active/CVE-2021-34556 | 4 ++-- active/CVE-2021-3542 | 13 +++++++------ active/CVE-2021-35477 | 4 ++-- active/CVE-2021-3640 | 13 +++++++------ active/CVE-2021-3669 | 13 +++++++------ active/CVE-2021-37159 | 4 ++-- active/CVE-2021-3743 | 6 ++++-- active/CVE-2021-3759 | 8 ++++---- active/CVE-2021-38199 | 4 ++-- active/CVE-2021-38203 | 14 ++++++++------ active/CVE-2021-38206 | 10 ++++++---- active/CVE-2021-38207 | 9 +++++---- active/CVE-2021-38300 | 13 +++++++------ 14 files changed, 68 insertions(+), 54 deletions(-) diff --git a/active/CVE-2021-32078 b/active/CVE-2021-32078 index 37831fa9..b0fbc14c 100644 --- a/active/CVE-2021-32078 +++ b/active/CVE-2021-32078 @@ -5,11 +5,14 @@ Notes: carnil> Issue is in the "personal server platform", which is not carnil> enabled in Debian. Furthermore the fixing commit just removes carnil> the whole code, which is believed that no one is using it. + bwh> The affected platform has a StrongArm (ARM v4) CPU which was only + bwh> supported by Debian's original arm architecture, not armel Bugs: upstream: released (5.13-rc1) [298a58e165e447ccfaae35fe9f651f9d7e15166f] 5.10-upstream-stable: 4.19-upstream-stable: 4.9-upstream-stable: sid: released (5.14.6-1) -4.19-buster-security: -4.9-stretch-security: +5.10-bullseye-security: ignored "Not applicable to any Debian architecture" +4.19-buster-security: ignored "Not applicable to any Debian architecture" +4.9-stretch-security: ignored "Not applicable to any Debian architecture" diff --git a/active/CVE-2021-34556 b/active/CVE-2021-34556 index f31d6a13..c38ddf00 100644 --- a/active/CVE-2021-34556 +++ b/active/CVE-2021-34556 @@ -7,8 +7,8 @@ Bugs: upstream: released (5.14-rc4) [f5e81d1117501546b7be050c5fbafa6efd2c722c, 2039f26f3aca5b0e419b98f65dd36481337b86ee] 5.10-upstream-stable: released (5.10.56) [bea9e2fd180892eba2574711b05b794f1d0e7b73, 0e9280654aa482088ee6ef3deadef331f5ac5fb0] 4.19-upstream-stable: released (4.19.207) [91cdb5b36234e6af69d6280f1510e4453707a2b8, 872968502114d68c21419cf7eb5ab97717e7b803] -4.9-upstream-stable: +4.9-upstream-stable: needed sid: released (5.10.46-4) [bugfix/all/bpf-introduce-bpf-nospec-instruction-for-mitigating-.patch, bugfix/all/bpf-fix-leakage-due-to-insufficient-speculative-stor.patch] 5.10-bullseye-security: N/A "Fixed before branching point" 4.19-buster-security: needed -4.9-stretch-security: +4.9-stretch-security: needed diff --git a/active/CVE-2021-3542 b/active/CVE-2021-3542 index 538b9b2e..d5e3d60f 100644 --- a/active/CVE-2021-3542 +++ b/active/CVE-2021-3542 @@ -7,9 +7,10 @@ References: Notes: Bugs: upstream: needed -5.10-upstream-stable: -4.19-upstream-stable: -4.9-upstream-stable: -sid: -4.19-buster-security: -4.9-stretch-security: +5.10-upstream-stable: needed +4.19-upstream-stable: needed +4.9-upstream-stable: needed +sid: needed +5.10-bullseye-security: needed +4.19-buster-security: needed +4.9-stretch-security: needed diff --git a/active/CVE-2021-35477 b/active/CVE-2021-35477 index f31d6a13..c38ddf00 100644 --- a/active/CVE-2021-35477 +++ b/active/CVE-2021-35477 @@ -7,8 +7,8 @@ Bugs: upstream: released (5.14-rc4) [f5e81d1117501546b7be050c5fbafa6efd2c722c, 2039f26f3aca5b0e419b98f65dd36481337b86ee] 5.10-upstream-stable: released (5.10.56) [bea9e2fd180892eba2574711b05b794f1d0e7b73, 0e9280654aa482088ee6ef3deadef331f5ac5fb0] 4.19-upstream-stable: released (4.19.207) [91cdb5b36234e6af69d6280f1510e4453707a2b8, 872968502114d68c21419cf7eb5ab97717e7b803] -4.9-upstream-stable: +4.9-upstream-stable: needed sid: released (5.10.46-4) [bugfix/all/bpf-introduce-bpf-nospec-instruction-for-mitigating-.patch, bugfix/all/bpf-fix-leakage-due-to-insufficient-speculative-stor.patch] 5.10-bullseye-security: N/A "Fixed before branching point" 4.19-buster-security: needed -4.9-stretch-security: +4.9-stretch-security: needed diff --git a/active/CVE-2021-3640 b/active/CVE-2021-3640 index b2932d4d..bb9547e2 100644 --- a/active/CVE-2021-3640 +++ b/active/CVE-2021-3640 @@ -12,9 +12,10 @@ Notes: carnil> ("Bluetooth: switch to lock_sock in SCO") Bugs: upstream: needed -5.10-upstream-stable: -4.19-upstream-stable: -4.9-upstream-stable: -sid: -4.19-buster-security: -4.9-stretch-security: +5.10-upstream-stable: needed +4.19-upstream-stable: needed +4.9-upstream-stable: needed +sid: needed +5.10-bullseye-security: needed +4.19-buster-security: needed +4.9-stretch-security: needed diff --git a/active/CVE-2021-3669 b/active/CVE-2021-3669 index d72c59d9..64eb2f07 100644 --- a/active/CVE-2021-3669 +++ b/active/CVE-2021-3669 @@ -11,9 +11,10 @@ Notes: carnil> https://bugzilla.redhat.com/show_bug.cgi?id=1986473#c10 Bugs: upstream: released (5.15-rc1) [20401d1058f3f841f35a594ac2fc1293710e55b9] -5.10-upstream-stable: -4.19-upstream-stable: -4.9-upstream-stable: -sid: -4.19-buster-security: -4.9-stretch-security: +5.10-upstream-stable: needed +4.19-upstream-stable: needed +4.9-upstream-stable: needed +sid: needed +5.10-bullseye-security: needed +4.19-buster-security: needed +4.9-stretch-security: needed diff --git a/active/CVE-2021-37159 b/active/CVE-2021-37159 index 22a94465..285f57ce 100644 --- a/active/CVE-2021-37159 +++ b/active/CVE-2021-37159 @@ -18,8 +18,8 @@ Bugs: upstream: released (5.14-rc3) [a6ecfb39ba9d7316057cea823b196b734f6b18ca] 5.10-upstream-stable: released (5.10.54) [115e4f5b64ae8d9dd933167cafe2070aaac45849] 4.19-upstream-stable: needed -4.9-upstream-stable: +4.9-upstream-stable: needed sid: released (5.14.6-1) 5.10-bullseye-security: needed 4.19-buster-security: needed -4.9-stretch-security: +4.9-stretch-security: needed diff --git a/active/CVE-2021-3743 b/active/CVE-2021-3743 index 8cd7e54e..cee60251 100644 --- a/active/CVE-2021-3743 +++ b/active/CVE-2021-3743 @@ -3,12 +3,14 @@ References: https://bugzilla.redhat.com/show_bug.cgi?id=1997961 https://lists.openwall.net/netdev/2021/08/17/124 Notes: + bwh> Introduced in 4.15 by 194ccc88297a "net: qrtr: Support decoding + bwh> incoming v2 packets" Bugs: upstream: released (5.14) [7e78c597c3ebfd0cb329aa09a838734147e4f117] 5.10-upstream-stable: released (5.10.62) [ad41706c771a038e9a334fa55216abd69b32bfdf] 4.19-upstream-stable: released (4.19.206) [ce7d8be2eaa4cab3032e256d154d1c33843d2367] -4.9-upstream-stable: +4.9-upstream-stable: N/A "Vulnerability introduced later" sid: released (5.14.6-1) 5.10-bullseye-security: released (5.10.46-5) [bugfix/all/net-qrtr-fix-another-OOB-Read-in-qrtr_endpoint_post.patch] 4.19-buster-security: needed -4.9-stretch-security: +4.9-stretch-security: N/A "Vulnerability introduced later" diff --git a/active/CVE-2021-3759 b/active/CVE-2021-3759 index 764af525..45aeecfb 100644 --- a/active/CVE-2021-3759 +++ b/active/CVE-2021-3759 @@ -6,9 +6,9 @@ Notes: Bugs: upstream: released (5.15-rc1) [18319498fdd4cdf8c1c2c48cd432863b1f915d6f] 5.10-upstream-stable: needed -4.19-upstream-stable: -4.9-upstream-stable: +4.19-upstream-stable: needed +4.9-upstream-stable: needed sid: needed 5.10-bullseye-security: needed -4.19-buster-security: -4.9-stretch-security: +4.19-buster-security: needed +4.9-stretch-security: needed diff --git a/active/CVE-2021-38199 b/active/CVE-2021-38199 index d818d7d7..1c07a7df 100644 --- a/active/CVE-2021-38199 +++ b/active/CVE-2021-38199 @@ -5,8 +5,8 @@ Bugs: upstream: released (5.14-rc1) [dd99e9f98fbf423ff6d365b37a98e8879170f17c] 5.10-upstream-stable: released (5.10.52) [ff4023d0194263a0827c954f623c314978cf7ddd] 4.19-upstream-stable: released (4.19.198) [743f6b973c8ba8a0a5ed15ab11e1d07fa00d5368] -4.9-upstream-stable: +4.9-upstream-stable: needed sid: released (5.14.6-1) 5.10-bullseye-security: released (5.10.46-5) [bugfix/all/NFSv4-Initialise-connection-to-the-server-in-nfs4_al.patch] 4.19-buster-security: needed -4.9-stretch-security: +4.9-stretch-security: needed diff --git a/active/CVE-2021-38203 b/active/CVE-2021-38203 index d626b598..bb0fcdae 100644 --- a/active/CVE-2021-38203 +++ b/active/CVE-2021-38203 @@ -4,12 +4,14 @@ Notes: carnil> Commit fixes eafa4fd0ad0607 ("btrfs: fix exhaustion of the carnil> system chunk array due to concurrent allocations") but the carnil> underlying issue might be present earlier. + bwh> The fix is precisely a revert of commit eafa4fd0ad0607, so I + bwh> don't believe there is an older issue. Bugs: upstream: released (5.14-rc2) [1cb3db1cf383a3c7dbda1aa0ce748b0958759947] -5.10-upstream-stable: -4.19-upstream-stable: -4.9-upstream-stable: +5.10-upstream-stable: N/A "Vulnerability introduced later" +4.19-upstream-stable: N/A "Vulnerability introduced later" +4.9-upstream-stable: N/A "Vulnerability introduced later" sid: released (5.14.6-1) -5.10-bullseye-security: -4.19-buster-security: -4.9-stretch-security: +5.10-bullseye-security: N/A "Vulnerability introduced later" +4.19-buster-security: N/A "Vulnerability introduced later" +4.9-stretch-security: N/A "Vulnerability introduced later" diff --git a/active/CVE-2021-38206 b/active/CVE-2021-38206 index aeac3e9e..f0736742 100644 --- a/active/CVE-2021-38206 +++ b/active/CVE-2021-38206 @@ -1,12 +1,14 @@ Description: mac80211: Fix NULL ptr deref for injected rate info References: Notes: + bwh> Introduced in 5.9 by commit cb17ed29a7a5 "mac80211: parse radiotap + bwh> header when selecting Tx queue" Bugs: upstream: released (5.13-rc7) [bddc0c411a45d3718ac535a070f349be8eca8d48] 5.10-upstream-stable: released (5.10.46) [f74df6e086083dc435f7500bdbc86b05277d17af] -4.19-upstream-stable: -4.9-upstream-stable: +4.19-upstream-stable: N/A "Vulnerability introduced later" +4.9-upstream-stable: N/A "Vulnerability introduced later" sid: released (5.10.46-1) 5.10-bullseye-security: N/A "Fixed before branching point" -4.19-buster-security: -4.9-stretch-security: +4.19-buster-security: N/A "Vulnerability introduced later" +4.9-stretch-security: N/A "Vulnerability introduced later" diff --git a/active/CVE-2021-38207 b/active/CVE-2021-38207 index d1d2e558..597f60dd 100644 --- a/active/CVE-2021-38207 +++ b/active/CVE-2021-38207 @@ -1,12 +1,13 @@ Description: net: ll_temac: Fix TX BD buffer overwrite References: Notes: + bwh> Driver is only usable on microblaze and 32-bit powerpc Bugs: upstream: released (5.13-rc7) [c364df2489b8ef2f5e3159b1dff1ff1fdb16040d] 5.10-upstream-stable: released (5.10.46) [cfe403f209b11fad123a882100f0822a52a7630f] -4.19-upstream-stable: -4.9-upstream-stable: +4.19-upstream-stable: needed +4.9-upstream-stable: needed sid: released (5.10.46-1) 5.10-bullseye-security: N/A "Fixed before branching point" -4.19-buster-security: -4.9-stretch-security: +4.19-buster-security: ignored "Not applicable to any release architecture" +4.9-stretch-security: ignored "Not applicable to any release architecture" diff --git a/active/CVE-2021-38300 b/active/CVE-2021-38300 index d7d971e0..9cc4d205 100644 --- a/active/CVE-2021-38300 +++ b/active/CVE-2021-38300 @@ -4,12 +4,13 @@ References: https://www.openwall.com/lists/oss-security/2021/09/15/5 https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=37cb28ec7d3a36a5bace7063a3dba633ab110f8b Notes: + bwh> Introduced in 3.16 by commit c6610de353da "MIPS: net: Add BPF JIT" Bugs: upstream: pending [37cb28ec7d3a36a5bace7063a3dba633ab110f8b] -5.10-upstream-stable: -4.19-upstream-stable: -4.9-upstream-stable: +5.10-upstream-stable: needed +4.19-upstream-stable: needed +4.9-upstream-stable: needed sid: released (5.14.6-1) [bugfix/mipsel/bpf-mips-Validate-conditional-branch-offsets.patch] -5.10-bullseye-security: -4.19-buster-security: -4.9-stretch-security: +5.10-bullseye-security: needed +4.19-buster-security: needed +4.9-stretch-security: ignored "mips not supported in LTS" -- cgit v1.2.3