Re: New CVE entries this week

Masami Ichikawa

Hi !

On Thu, Jul 29, 2021 at 4:47 PM Pavel Machek <pavel@...> wrote:


** Traking CVEs

CVE-2021-21781: v4.4 is not fixed as of 2021/07/29
This is basically missing memset. Does not look evil to backport.

CVE-2021-3655: v4.4 is not fixed as of 2021/07/29
This may need more careful look. There are 4 patches fixing this in
mainline, but only two in
5.10. c7da1d1ed43a6c2bece0d287e2415adf2868697e should be easy to
backport to 4.4.
Okay. I'll take another look.

CVE-2021-31829: Linux kernel protection of stack pointer against
speculative pointer arithmetic can be bypassed to leak content of
kernel memory

Fixed status
mainline: [f8be156be163a052a067306417cd0ff679068c97]
stable/4.19: [117777467bc015f0dc5fc079eeba0fa80c965149]
Strange, this talks about CVE-2021-22543 in the changelog.
ok, I'll check again.

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

Not fiexd in mainline yet
CVE-2021-3655: missing size validations on inbound SCTP packets

According to cip-kernel-sec's scripts v4.4 is not fixed as of 2021/07/29

One of a patch 50619dbf8db77e98d821d615af4f634d08e22698 is included.
I guess this should be listed in stable/4.4: ... then?
Yes, it is. I'll add it.

Best regards,
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@...

Join to automatically receive all group messages.