Retire some CVEs

3 files changed, 54 insertions, 0 deletions

diff --git a/retired/CVE-2019-19462 b/retired/CVE-2019-19462
new file mode 100644
index 000000000..14fd47453
--- /dev/null
+++ b/retired/CVE-2019-19462
@@ -0,0 +1,20 @@
+Description: relay: handle alloc_percpu returning NULL in relay_open
+References:
+ https://lore.kernel.org/lkml/20191129013745.7168-1-dja@axtens.net/
+ https://syzkaller-ppc64.appspot.com/bug?id=1c09906c83a8ea811a9e318c2a4f8e243becc6f8
+ https://syzkaller-ppc64.appspot.com/bug?id=b05b4d005191cc375cdf848c3d4d980308d50531
+ https://syzkaller.appspot.com/bug?id=e4265490d26d6c01cd9bc79dc915ef0a1bf15046
+ https://syzkaller.appspot.com/bug?id=f4d1cb4330bd3ddf4a628332b4285407b2eedd7b 
+ https://lore.kernel.org/lkml/20191219121256.26480-1-dja@axtens.net/
+Notes:
+ bwh> Introduced in 4.9 (not 4.10) by commit 017c59c042d0 "relay: Use per
+ bwh> CPU constructs for the relay channel buffer pointers".
+Bugs:
+upstream: released (5.8-rc1) [54e200ab40fc14c863bcc80a51e20b7906608fce]
+4.19-upstream-stable: released (4.19.127) [8b5dfa53eeb6c8bba5a035d38f6f8b981aebb622]
+4.9-upstream-stable: released (4.9.227) [d1774b0459875e2bf3e93b86294296e5494fd0b7]
+3.16-upstream-stable: N/A "Vulnerability introduced later"
+sid: released (5.6.14-2) [bugfix/all/kernel-relay.c-handle-alloc_percpu-returning-NULL-in.patch]
+4.19-buster-security: released (4.19.118-2+deb10u1) [bugfix/all/kernel-relay.c-handle-alloc_percpu-returning-NULL-in.patch]
+4.9-stretch-security: released (4.9.210-1+deb9u1) [bugfix/all/kernel-relay.c-handle-alloc_percpu-returning-NULL-in.patch]
+3.16-jessie-security: N/A "Vulnerability introduced later"
diff --git a/retired/CVE-2020-0543 b/retired/CVE-2020-0543
new file mode 100644
index 000000000..efe4ae1da
--- /dev/null
+++ b/retired/CVE-2020-0543
@@ -0,0 +1,18 @@
+Description: Special Register Buffer Data Sampling (SRBDS)
+References:
+ https://www.vusec.net/projects/crosstalk/
+ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00320.html
+Notes:
+ bwh> This issue will be mitigated by a microcode update.  However,
+ bwh> kernel changes are needed to limit the performance impact and
+ bwh> to allow disabling the mitigation where it is unneeded.
+ bwh> Embargoed until 2020-06-09 17:00 UTC.
+Bugs:
+upstream: released (5.8-rc1) [e9d7144597b10ff13ff2264c059f7d4a7fbc89ac, 93920f61c2ad7edb01e63323832585796af75fc9, 7e5b3c267d256822407a22fdce6afdf9cd13f9fb, 7222a1b5b87417f22265c92deea76a6aecd0fb0f, 3798cc4d106e91382bfe016caa2edada27c2bb3f]
+4.19-upstream-stable: released (4.19.128) [253b9e7ac000154fc41b217660cb4c99f51e2ed0, 6682fe2fca22e45153e69f5b7ce7282bcba3565f, b65105dc4242f949cea9264851ff5e5473434a91, 00c2119c632e04948677a941cbad2427b0666046, 79623df18eacf685c1ee4a1c4c185b3b92eb1167]
+4.9-upstream-stable: released (4.9.227) [5f8f40583aad4aa3c0fc8a9adaa9f1c988fa8e9e, 15cf7ca9f59ff911cd5582969377bbf8c2ecab8a, 2f93f8d6891c2bd3963e1c68ad3eabf4dd6a55af, 2808035ba55eb8aaaf5eb37421dbfff37c1f25a8, 4798f72395eb523d251f18226527329debe353e9]
+3.16-upstream-stable: released (3.16.85) [bed86e750bb02981a5efe110b7e9ae3d989a2e73, 98a637c406eefe95f2428739c1397f250bb7fadd, 8c95356f8493c164c8878134d25f30cbd6d7ae5c, 0d314e817a11e62ab223b27166de0c6b3859e0e7, 948cfe9d8a2e3f0465340d5dea9d61f282df00e7]
+sid: released (5.6.14-2) [bugfix/x86/srbds/0001-x86-cpu-Add-a-steppings-field-to-struct-x86_cpu_id.patch, bugfix/x86/srbds/0002-x86-cpu-Add-table-argument-to-cpu_matches.patch, bugfix/x86/srbds/0003-x86-speculation-Add-Special-Register-Buffer-Data-Sam.patch, bugfix/x86/srbds/0004-x86-speculation-Add-SRBDS-vulnerability-and-mitigati.patch, bugfix/x86/srbds/0005-x86-speculation-Add-Ivy-Bridge-to-affected-list.patch]
+4.19-buster-security: released (4.19.118-2+deb10u1) [bugfix/x86/srbds/0001-x86-cpu-Add-a-steppings-field-to-struct-x86_cpu_id.patch, bugfix/x86/srbds/0002-x86-cpu-Add-table-argument-to-cpu_matches.patch, bugfix/x86/srbds/0003-x86-speculation-Add-Special-Register-Buffer-Data-Sam.patch, bugfix/x86/srbds/0004-x86-speculation-Add-SRBDS-vulnerability-and-mitigati.patch, bugfix/x86/srbds/0005-x86-speculation-Add-Ivy-Bridge-to-affected-list.patch]
+4.9-stretch-security: released (4.9.210-1+deb9u1) [bugfix/x86/srbds/0001-x86-cpu-Add-a-steppings-field-to-struct-x86_cpu_id.patch, bugfix/x86/srbds/0002-x86-cpu-Add-table-argument-to-cpu_matches.patch, bugfix/x86/srbds/0003-x86-speculation-Add-Special-Register-Buffer-Data-Sam.patch, bugfix/x86/srbds/0004-x86-speculation-Add-SRBDS-vulnerability-and-mitigati.patch, bugfix/x86/srbds/0005-x86-speculation-Add-Ivy-Bridge-to-affected-list.patch]
+3.16-jessie-security: released (3.16.84-1) [bugfix/x86/srbds/0001-x86-cpu-Add-a-steppings-field-to-struct-x86_cpu_id.patch, bugfix/x86/srbds/0002-x86-cpu-Add-table-argument-to-cpu_matches.patch, bugfix/x86/srbds/0003-x86-speculation-Add-Special-Register-Buffer-Data-Sam.patch, bugfix/x86/srbds/0004-x86-speculation-Add-SRBDS-vulnerability-and-mitigati.patch, bugfix/x86/srbds/0005-x86-speculation-Add-Ivy-Bridge-to-affected-list.patch]
diff --git a/retired/CVE-2020-10757 b/retired/CVE-2020-10757
new file mode 100644
index 000000000..f4e68bb1e
--- /dev/null
+++ b/retired/CVE-2020-10757
@@ -0,0 +1,16 @@
+Description: mm: Fix mremap not considering huge pmd devmap
+References:
+ https://lore.kernel.org/lkml/A82D1BB5-D868-489A-BFED-9FCE71649A46@sjtu.edu.cn/
+ https://www.openwall.com/lists/oss-security/2020/06/04/4
+Notes:
+ carnil> Introduced in 5c7fb56e5e3f ("mm, dax: dax-pmd vs thp-pmd vs
+ carnil> hugetlbfs-pmd") in 4.5-rc1
+Bugs:
+upstream: released (5.8-rc1) [5bfea2d9b17f1034a68147a8b03b9789af5700f9]
+4.19-upstream-stable: released (4.19.127) [78385480fd6572a83e7541e37658d9a7de6dc9b1]
+4.9-upstream-stable: released (4.9.227) [c915cffda0a4329ee454646138fe2b11c5ba3cd6]
+3.16-upstream-stable: N/A "Vulnerable code introduced later"
+sid: released (5.6.14-2) [bugfix/all/mm-Fix-mremap-not-considering-huge-pmd-devmap.patch]
+4.19-buster-security: released (4.19.118-2+deb10u1) [bugfix/all/mm-Fix-mremap-not-considering-huge-pmd-devmap.patch]
+4.9-stretch-security: released (4.9.210-1+deb9u1) [bugfix/all/mm-Fix-mremap-not-considering-huge-pmd-devmap.patch]
+3.16-jessie-security: N/A "Vulnerable code introduced later"