* New CVEs
CVE-2021-0935: bug is in ipv6 and l2tp code.
This CVE addresses two commits, one in the ipv6 stack and the other in l2tp.
There is two introduced commits one is 85cb73f ("net: ipv6: reset
daddr and dport in sk if connect() fails") was merged in 4.12 and the
other commit 3557baa ("[L2TP]: PPP over L2TP driver core") was merged
Fixed commits have been merged since 4.16-rc7 so 4.16 or later kernels
don't affect this vulnerability.
Commit 2f987a76("net: ipv6: keep sk status consistent after datagram
connect failure") fixes 85cb73f and commit b954f940("l2tp: fix races
with ipv4-mapped ipv6 addresses") fixes commit 3557baa.
To apply patches to 4.4, it needs to fix conflicts.
CVSS v3 score is not provided.
stable/4.4: not fixed yet
Others are fixed, but this one may be worth watching. Fortunately it
is not remote attack, AFAICT.
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany