- CVE-2021-28688 [xen: blkback leak persistent grants] - fixed (ignore for CIP) - CVE-2021-29264 [gianfar: jumbo frame overrun] - fixed (ignore for CIP) Needs backport to 4.9 and 4.14. - CVE-2021-29265 [usbip: access race] - fixed (ignore for CIP) - CVE-2021-29266 [vhost: vdpa: UAF] - fixed (ignore for CIP) - CVE-2021-29646 [net: tipc: user data validation] - fixed - CVE-2021-29647 [net: qrtr: kernel info leak] - fixed (ignore for CIP) - CVE-2021-29648 [bpf: vmlinux BTF usage leads to crash] - fixed - CVE-2021-29649 [bpf: umd: memleak] - fixed (ignore for CIP) - CVE-2021-29650 [netfilter: x_tables: incorrect memory barrier led to crash] - fixed Needs backport to 4.14 and earlier.
Regarding issues from last week,
CVE-2021-3444 - Debian added the following notes:
This last pre-requisite commit though would depend on 092ed0968bb6 ("bpf: verifier support JMP32") which does not seem to make it possible to backport the fixes in 4.19.y easily.
CVE-2021-20292 - Ubuntu tagged the commit introducing the issue as 8e7e70522d76 ("drm/ttm: isolate dma data from ttm_tt V4") from v3.3-rc1. So it looks like the fix needs to be backport to v4.4 as well.
