From 73dccfc63d792093db024dd1df1e7dfd4682bac2 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 11 Mar 2024 00:11:29 +0100 Subject: Record various issues as already fixed upstream --- active/CVE-2023-1192 | 10 ++++++---- active/CVE-2023-2176 | 2 +- active/CVE-2023-52572 | 1 + active/CVE-2023-6356 | 21 +++++++++++++-------- active/CVE-2023-6536 | 20 ++++++++++++-------- active/CVE-2024-0565 | 2 +- active/CVE-2024-0841 | 9 +++++---- active/CVE-2024-23850 | 9 +++++---- active/CVE-2024-23851 | 2 +- 9 files changed, 45 insertions(+), 31 deletions(-) diff --git a/active/CVE-2023-1192 b/active/CVE-2023-1192 index 8bdbcbb8..1a449827 100644 --- a/active/CVE-2023-1192 +++ b/active/CVE-2023-1192 @@ -14,11 +14,13 @@ Notes: carnil> the smb2_is_status_io_timeout() case. carnil> But according to Ben this is another issue. Bugs: -upstream: needed -6.1-upstream-stable: needed +upstream: released (6.6-rc3) [d527f51331cace562393a8038d870b3e9916686f] +6.7-upstream-stable: N/A "Fixed before branching point" +6.6-upstream-stable: N/A "Fixed before branching point" +6.1-upstream-stable: released (6.1.56) [908b3b5e97d25e879de3d1f172a255665491c2c3] 5.10-upstream-stable: needed 4.19-upstream-stable: N/A "Vulnerable code not present" -sid: needed -6.1-bookworm-security: needed +sid: released (6.5.6-1) +6.1-bookworm-security: released (6.1.64-1) 5.10-bullseye-security: needed 4.19-buster-security: N/A "Vulnerable code not present" diff --git a/active/CVE-2023-2176 b/active/CVE-2023-2176 index 03ae4309..016b82f0 100644 --- a/active/CVE-2023-2176 +++ b/active/CVE-2023-2176 @@ -9,7 +9,7 @@ Notes: bwh> and remote IP". Bugs: upstream: released (6.3-rc1) [8d037973d48c026224ab285e6a06985ccac6f7bf] -6.1-upstream-stable: needed +6.1-upstream-stable: released (6.1.81) [88067197e97af3fcb104dd86030f788ec1b32fdb] 5.10-upstream-stable: N/A "Vulnerability introduced later" 4.19-upstream-stable: N/A "Vulnerability introduced later" sid: released (6.3.7-1) diff --git a/active/CVE-2023-52572 b/active/CVE-2023-52572 index ea38421c..bfae580c 100644 --- a/active/CVE-2023-52572 +++ b/active/CVE-2023-52572 @@ -3,6 +3,7 @@ References: Notes: carnil> Introduced in ec637e3ffb6b ("[CIFS] Avoid extra large buffer allocation (and carnil> memcpy) in cifs_readpages"). Vulnerable versions: 2.6.16-rc2. + bwh> Duplicate of CVE-2023-1192. Bugs: upstream: released (6.6-rc3) [d527f51331cace562393a8038d870b3e9916686f] 6.7-upstream-stable: N/A "Fixed before branching point" diff --git a/active/CVE-2023-6356 b/active/CVE-2023-6356 index 6b346475..2617a7b8 100644 --- a/active/CVE-2023-6356 +++ b/active/CVE-2023-6356 @@ -3,12 +3,17 @@ References: https://bugzilla.redhat.com/show_bug.cgi?id=2254054 https://lore.kernel.org/linux-nvme/CAK5usQupQgYoyav2itYADv2XVooMptqqswW8cTkuoMkRpjapwQ@mail.gmail.com/T/#t Notes: + bwh> There has never been a nvmet_tcp_build_iovec() function in + bwh> nvmet, but I think this is fixed by commit efa56305908b + bwh> "nvmet-tcp: Fix a kernel panic when host sends an invalid + bwh> H2C PDU length" which mentions nvmet_tcp_build_pdu_iovec(). + bwh> Fixed as well in 6.6.14 and 6.7.2. Bugs: -upstream: -6.1-upstream-stable: -5.10-upstream-stable: -4.19-upstream-stable: -sid: -6.1-bookworm-security: -5.10-bullseye-security: -4.19-buster-security: +upstream: released (6.8-rc1) [efa56305908ba20de2104f1b8508c6a7401833be] +6.1-upstream-stable: released (6.1.75) [2871aa407007f6f531fae181ad252486e022df42] +5.10-upstream-stable: released (5.10.209) [f775f2621c2ac5cc3a0b3a64665dad4fb146e510] +4.19-upstream-stable: needed +sid: released (6.6.15-1) +6.1-bookworm-security: released (6.1.76-1) +5.10-bullseye-security: released (5.10.209-1) +4.19-buster-security: needed diff --git a/active/CVE-2023-6536 b/active/CVE-2023-6536 index b85dd1ef..e804453b 100644 --- a/active/CVE-2023-6536 +++ b/active/CVE-2023-6536 @@ -3,12 +3,16 @@ References: https://bugzilla.redhat.com/show_bug.cgi?id=2254052 https://lore.kernel.org/linux-nvme/69e7bbe4-b454-4941-90e2-2e6a4cf0f182@grimberg.me/T/#t Notes: + bwh> I think this is fixed by commit 0849a5441358 "nvmet-tcp: + bwh> fix a crash in nvmet_req_complete()"; that mentions + bwh> nvmet_req_complete() which is a thin wrapper for + bwh> __nvmet_req_complete()). Fixed as well in 6.6.14 and 6.7.2. Bugs: -upstream: -6.1-upstream-stable: -5.10-upstream-stable: -4.19-upstream-stable: -sid: -6.1-bookworm-security: -5.10-bullseye-security: -4.19-buster-security: +upstream: released (6.8-rc1) [0849a5441358cef02586fb2d60f707c0db195628] +6.1-upstream-stable: released (6.1.75) [83ccd15717ee2b6143df72df39685f0c832e3451] +5.10-upstream-stable: released (5.10.209) [39669fae69f302961d89f38d969c6fcc1d07eb02] +4.19-upstream-stable: needed +sid: released (6.6.15-1) +6.1-bookworm-security: released (6.1.76-1) +5.10-bullseye-security: released (5.10.209-1) +4.19-buster-security: needed diff --git a/active/CVE-2024-0565 b/active/CVE-2024-0565 index 48ab314f..7ab48346 100644 --- a/active/CVE-2024-0565 +++ b/active/CVE-2024-0565 @@ -9,7 +9,7 @@ Notes: Bugs: upstream: released (6.7-rc6) [eec04ea119691e65227a97ce53c0da6b9b74b0b7] 6.1-upstream-stable: released (6.1.69) [9f528a8e68327117837b5e28b096f52af4c26a05] -5.10-upstream-stable: needed +5.10-upstream-stable: released (5.10.211) [b03c8099a738a04d2343547ae6a04e5f0f63d3fa] 4.19-upstream-stable: needed sid: released (6.6.8-1) 6.1-bookworm-security: released (6.1.69-1) diff --git a/active/CVE-2024-0841 b/active/CVE-2024-0841 index 1a089c10..1e907906 100644 --- a/active/CVE-2024-0841 +++ b/active/CVE-2024-0841 @@ -5,12 +5,13 @@ References: Notes: carnil> Commit fixes 32021982a324 ("hugetlbfs: Convert to fs_context") carnil> 5.1-rc1. + bwh> Fixed also in 6.6.18 and 6.7.6. Bugs: -upstream: needed -6.1-upstream-stable: needed -5.10-upstream-stable: needed +upstream: released (6.8-rc4) [79d72c68c58784a3e1cd2378669d51bfd0cb7498] +6.1-upstream-stable: released (6.1.79) [2e2c07104b4904aed1389a59b25799b95a85b5b9] +5.10-upstream-stable: released (5.10.212) [80d852299987a8037be145a94f41874228f1a773] 4.19-upstream-stable: N/A "Vulnerable code not present" -sid: needed +sid: released (6.7.7-1) 6.1-bookworm-security: needed 5.10-bullseye-security: needed 4.19-buster-security: N/A "Vulnerable code not present" diff --git a/active/CVE-2024-23850 b/active/CVE-2024-23850 index cfb2f68d..477ce026 100644 --- a/active/CVE-2024-23850 +++ b/active/CVE-2024-23850 @@ -6,12 +6,13 @@ Notes: carnil> Commit fixes 2dfb1e43f57d ("btrfs: preallocate anon block carnil> device at first phase of snapshot creation") in 5.9-rc1 (and carnil> backported to 5.8.3) + bwh> Fixed as well in 6.6.18 and 6.7.6. Bugs: -upstream: needed -6.1-upstream-stable: needed -5.10-upstream-stable: needed +upstream: released (6.8-rc4) [e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb] +6.1-upstream-stable: released (6.1.79) +5.10-upstream-stable: released (5.10.210) 4.19-upstream-stable: N/A "Vulnerable code not present" -sid: needed +sid: released (6.7.7-1) 6.1-bookworm-security: needed 5.10-bullseye-security: needed 4.19-buster-security: N/A "Vulnerable code not present" diff --git a/active/CVE-2024-23851 b/active/CVE-2024-23851 index 327c875a..da6796be 100644 --- a/active/CVE-2024-23851 +++ b/active/CVE-2024-23851 @@ -9,7 +9,7 @@ upstream: released (6.8-rc3) [bd504bcfec41a503b32054da5472904b404341a4] 6.1-upstream-stable: released (6.1.79) [c5d83ac2bf6ca668a39ffb1a576899a66153ba19] 5.10-upstream-stable: released (5.10.210) [a891a0621e725e85529985139cada8cb5a74a116] 4.19-upstream-stable: -sid: needed +sid: released (6.7.7-1) 6.1-bookworm-security: needed 5.10-bullseye-security: needed 4.19-buster-security: -- cgit v1.2.3