From a49eb64f8bbcf0ee040d49ae323ac0220b23f7b4 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 21 Mar 2024 20:39:30 +0100
Subject: Add new CVEs

---
 active/CVE-2023-52620 | 15 +++++++++++++++
 active/CVE-2024-26642 | 16 ++++++++++++++++
 active/CVE-2024-26643 | 17 +++++++++++++++++
 3 files changed, 48 insertions(+)
 create mode 100644 active/CVE-2023-52620
 create mode 100644 active/CVE-2024-26642
 create mode 100644 active/CVE-2024-26643

diff --git a/active/CVE-2023-52620 b/active/CVE-2023-52620
new file mode 100644
index 00000000..81f5ee41
--- /dev/null
+++ b/active/CVE-2023-52620
@@ -0,0 +1,15 @@
+Description: netfilter: nf_tables: disallow timeout for anonymous sets
+References:
+Notes:
+ carnil> First introducing commit could not be determined.
+Bugs:
+upstream: released (6.4) [e26d3009efda338f19016df4175f354a9bd0a4ab]
+6.7-upstream-stable: N/A "Fixed before branching point"
+6.6-upstream-stable: N/A "Fixed before branching point"
+6.1-upstream-stable: released (6.1.81) [b7be6c737a179a76901c872f6b4c1d00552d9a1b]
+5.10-upstream-stable: needed
+4.19-upstream-stable: needed
+sid: released (6.4.4-1)
+6.1-bookworm-security: needed
+5.10-bullseye-security: needed
+4.19-buster-security: needed
diff --git a/active/CVE-2024-26642 b/active/CVE-2024-26642
new file mode 100644
index 00000000..d5108d27
--- /dev/null
+++ b/active/CVE-2024-26642
@@ -0,0 +1,16 @@
+Description: netfilter: nf_tables: disallow anonymous set with timeout flag
+References:
+Notes:
+ carnil> Introduced in 761da2935d6e ("netfilter: nf_tables: add set timeout API
+ carnil> support"). Vulnerable versions: 4.1-rc1.
+Bugs:
+upstream: released (6.8) [16603605b667b70da974bea8216c93e7db043bf1]
+6.7-upstream-stable: needed
+6.6-upstream-stable: needed
+6.1-upstream-stable: needed
+5.10-upstream-stable: needed
+4.19-upstream-stable: needed
+sid: needed
+6.1-bookworm-security: needed
+5.10-bullseye-security: needed
+4.19-buster-security: needed
diff --git a/active/CVE-2024-26643 b/active/CVE-2024-26643
new file mode 100644
index 00000000..c6bbee18
--- /dev/null
+++ b/active/CVE-2024-26643
@@ -0,0 +1,17 @@
+Description: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout
+References:
+Notes:
+ carnil> Introduced in 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid
+ carnil> race with control plane"). Vulnerable versions: 5.4.262 5.10.198 5.15.134
+ carnil> 6.1.56 6.4.11 6.5-rc6.
+Bugs:
+upstream: released (6.8) [552705a3650bbf46a22b1adedc1b04181490fc36]
+6.7-upstream-stable: needed
+6.6-upstream-stable: needed
+6.1-upstream-stable: needed
+5.10-upstream-stable: needed
+4.19-upstream-stable: N/A "Vulnerable code not present"
+sid: needed
+6.1-bookworm-security: needed
+5.10-bullseye-security: needed
+4.19-buster-security: N/A "Vulnerable code not present"
-- 
cgit v1.2.3