Update information on CVE-2020-14356 and add CVE-2020-25220

2 files changed, 19 insertions, 0 deletions

diff --git a/active/CVE-2020-14356 b/active/CVE-2020-14356
index 412ae5ad..b6694327 100644
--- a/active/CVE-2020-14356
+++ b/active/CVE-2020-14356
@@ -4,6 +4,11 @@ References:
  https://lore.kernel.org/netdev/CAM_iQpUKQJrj8wE+Qa8NGR3P0L+5Uz=qo-O5+k_P60HzTde6aw%40mail.gmail.com/t/
  https://bugzilla.redhat.com/show_bug.cgi?id=1868453
 Notes:
+ carnil> Some care needs to be applied here to not make a released
+ carnil> version affected by CVE-2020-25220. Additionally to the fixing
+ carnil> commit refered there is need to apply "cgroup: add missing skcd-
+ carnil> >no_refcnt check in cgroup_sk_alloc()" which was included in
+ carnil> 4.9.233, 4.14.194 and 4.19.140.
 Bugs:
  966846
 upstream: released (5.8-rc5) [ad0f75e5f57ccbceec13274e1e242f2b5a6397ed]
diff --git a/active/CVE-2020-25220 b/active/CVE-2020-25220
new file mode 100644
index 00000000..d6218be6
--- /dev/null
+++ b/active/CVE-2020-25220
@@ -0,0 +1,14 @@
+Description: cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone()
+References:
+ https://www.spinics.net/lists/stable/msg405099.html
+Notes:
+ carnil> Exists because of a backporting issue in the v4.9.y, v4.14.y
+ carnil> and v4.19.y stable series when backporting fix for CVE-2020-
+ carnil> 14356.
+Bugs:
+upstream: N/A "Vulnerable code not present"
+4.19-upstream-stable: released (4.19.140) [38de4308c5c3319ae9c815b6d6aa8d2b5804bace]
+4.9-upstream-stable: released (4.9.233) [f3b1d647251a94a6968a35e3d685dc8b1b24c3ff]
+sid: N/A "Vulnerable code not present"
+4.19-buster-security: N/A "No released version contains broken backport"
+4.9-stretch-security: N/A "No released version contains broken backport"