Re: Cip-kernel-sec Updates for Week of 2021-02-04

Chen-Yu Tsai (Moxa) <wens@...>

On Thu, Feb 4, 2021 at 1:26 PM Chen-Yu Tsai <wens@...> wrote:

Hi everyone,

Two new issue this week:
- CVE-2021-3347 [UAF in futex]: fixed for 4.14 and later [1]
- CVE-2021-3348 [nbd: UAF when adding connections while operations are
running]: fixed in all kernels

For CVE-2021-3347, based on [1], more patches are needed for 4.4 and 4.9.
The second batch:


has not been included yet. Lee Jones seems to be handling it [2].
FTR, a second backport series for 4.4 was also posted:


For CVE-2020-27825 from two weeks ago, the fix has been backported to
all stable kernels.

For CVE-2020-16120, Ubuntu mentions a regression due to the backported fix [3].
We probably don't care either way since this requires unprivileged
user namespace
is enabled.



Join to automatically receive all group messages.