Re: Cip-kernel-sec Updates for Week of 2021-02-04

Home Messages Hashtags Subgroups

Chen-Yu Tsai (Moxa) <wens@...> #6164 On Thu, Feb 4, 2021 at 1:26 PM Chen-Yu Tsai <wens@...> wrote: Hi everyone, Two new issue this week: - CVE-2021-3347 [UAF in futex]: fixed for 4.14 and later [1] - CVE-2021-3348 [nbd: UAF when adding connections while operations are running]: fixed in all kernels For CVE-2021-3347, based on [1], more patches are needed for 4.4 and 4.9. The second batch: 12bb3f7f1b03d5913b3f9d4236a488aa7774dfe9..34b1a1ce1458f50ef27c54e28eb9b1947012907a inclusive has not been included yet. Lee Jones seems to be handling it [2]. FTR, a second backport series for 4.4 was also posted: https://lore.kernel.org/stable/20210204172903.2860981-1-lee.jones@linaro.org/ ChenYu For CVE-2020-27825 from two weeks ago, the fix has been backported to all stable kernels. For CVE-2020-16120, Ubuntu mentions a regression due to the backported fix [3]. We probably don't care either way since this requires unprivileged user namespace is enabled. Regards ChenYu [1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/pending/futex_issues.txt [2] https://lore.kernel.org/stable/20210203134539.2583943-1-lee.jones@linaro.org/ [2] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1900141
More All Messages By This Member

Join cip-dev@lists.cip-project.org to automatically receive all group messages.