Cip-kernel-sec Updates for Week of 2021-04-22


Chen-Yu Tsai (Moxa) <wens@...>
 

Hi everyone,

Seven new CVEs this week, though three can be ignored.

- CVE-2021-1076 [nvidia out-of-tree driver DoS] - ignore
- CVE-2021-1077 [nvidia out-of-tree driver DoS] - ignore
- CVE-2021-23133 [net/sctp: race in sctp_destroy_sock] - fixed
Needs backport to kernels before 5.4

- CVE-2021-29155 [bpf: kernel memory content leak] - fixed
Debian notes this likely only affects 5.8 and later.
I intend to mark it as such if no one objects.

- CVE-2021-3492 [shiftfs: double free] - ignore Ubuntu specific
- CVE-2021-3493 [overlayfs: privilege escalation] - fixed
- CVE-2021-3506 [f2fs: out-of-bounds access] - fix queued up for -next

Regarding CVE-2021-29650 from 4/1, it seems Pavel's backport
still didn't hit the stable mailing list. Guenter ended up
posting backports [1] for all the old LTS kernels, but there
were some other issues and he asked Greg to drop them.


Regards
ChenYu

[1] https://lore.kernel.org/stable/1780f159-140b-231f-8af5-ccec049dc8b0@roeck-us.net/

Join cip-dev@lists.cip-project.org to automatically receive all group messages.