Retire several CVEs

author: Salvatore Bonaccorso <carnil@debian.org> 2022-03-25 20:49:54 +0100
committer: Salvatore Bonaccorso <carnil@debian.org> 2022-03-25 20:49:54 +0100
commit: 799d3c586b6df4d41fccd5fc2ff796a087c26329 (patch)
tree: 58859fea1691e870e5406a47cbb0c08c1e4582e6 /retired
parent: e3e90ffdadf6bb9b0e7ff277a38879d594f49edd (diff)
56 files changed, 902 insertions, 0 deletions
diff --git a/retired/CVE-2020-29374 b/retired/CVE-2020-29374
new file mode 100644
index 000000000..888e85eae
--- /dev/null
+++ b/retired/CVE-2020-29374
@@ -0,0 +1,19 @@
+Description: gup: document and work around "COW can break either way" issue
+References:
+ https://bugs.chromium.org/p/project-zero/issues/detail?id=2045
+ https://lore.kernel.org/stable/20210401182125.171484-1-surenb@google.com/
+ https://lore.kernel.org/stable/20211012015244.693594-1-surenb@google.com/
+Notes:
+ bwh> The issue is said to go back to "2.x kernels"
+ carnil> The backport for 4.9.y got reverted in 4.9.298, cf.
+ carnil> 6fbb8383884f2c89f4c7e2c8603b5ed1b90b815f, and then followed by
+ carnil> 0c29640bdecad332b9e2b884217c159f4aeb2556.
+Bugs:
+upstream: released (5.8-rc1) [17839856fd588f4ab6b789f482ed3ffd7c403e1f]
+5.10-upstream-stable: N/A "Fixed before branch point"
+4.19-upstream-stable: released (4.19.189) [5e24029791e809d641e9ea46a1f99806484e53fc], released (4.19.226) [294c7a9fb608c29a9e49010b515228e20ccbec8f]
+4.9-upstream-stable: released (4.9.298) [0c29640bdecad332b9e2b884217c159f4aeb2556]
+sid: released (5.7.6-1)
+5.10-bullseye-security: N/A "Fixed before branching point"
+4.19-buster-security: released (4.19.194-1), released (4.19.232-1)
+4.9-stretch-security: released (4.9.272-1) [bugfix/all/gup-document-and-work-around-cow-can-break-either-wa.patch]
diff --git a/retired/CVE-2020-36322 b/retired/CVE-2020-36322
new file mode 100644
index 000000000..5aa1831cf
--- /dev/null
+++ b/retired/CVE-2020-36322
@@ -0,0 +1,16 @@
+Description: fuse: fix bad inode
+References:
+Notes:
+ carnil> Note that this CVE relates as well to CVE-2021-28950, which is
+ carnil> assigned because of an initial incomplete fix for this CVE.
+ bwh> Commit message says this bug has been present since the
+ bwh> introduction of fuse.
+Bugs:
+upstream: released (5.11-rc1) [5d069dbe8aaf2a197142558b6fb2978189ba3454]
+5.10-upstream-stable: released (5.10.6) [36cf9ae54b0ead0daab7701a994de3dcd9ef605d]
+4.19-upstream-stable: released (4.19.226) [1e1bb4933f1faafc68db8e0ecd5838a65dd1aae9]
+4.9-upstream-stable: released (4.9.298) [3a2f8823aa565cc67bdd00c4cd5e1d8ad81e8436]
+sid: released (5.10.9-1)
+5.10-bullseye-security: N/A "Fixed before branching point"
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.272-1) [bugfix/all/fuse-fix-bad-inode.patch]
diff --git a/retired/CVE-2021-20317 b/retired/CVE-2021-20317
new file mode 100644
index 000000000..44ec69857
--- /dev/null
+++ b/retired/CVE-2021-20317
@@ -0,0 +1,17 @@
+Description: lib/timerqueue: Rely on rbtree semantics for next timer
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=2005258
+Notes:
+ bwh> It's not totally clear what the bug is, but the code in 4.9 is
+ bwh> similar enough to 4.19 that I think it must also be affected.
+ bwh> For 4.9, commit cd9e61ed1eeb "rbtree: cache leftmost node internally"
+ bwh> needs to be applied first.
+Bugs:
+upstream: released (5.4-rc1) [511885d7061eda3eb1faf3f57dcc936ff75863f1]
+5.10-upstream-stable: N/A "Fixed before branching point"
+4.19-upstream-stable: released (4.19.210) [b9a1ac8e7c03fd09992352c7fb1a61cbbb9ad52b]
+4.9-upstream-stable: released (4.9.298) [ef2e64035f074bfeef14c28347aaec0b486a9e9f]
+sid: released (5.4.6-1)
+5.10-bullseye-security: N/A "Fixed before branching point"
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.290-1) [bugfix/all/lib-timerqueue-rely-on-rbtree-semantics-for-next-tim.patch]
diff --git a/retired/CVE-2021-20321 b/retired/CVE-2021-20321
new file mode 100644
index 000000000..ecbcf5587
--- /dev/null
+++ b/retired/CVE-2021-20321
@@ -0,0 +1,13 @@
+Description: ovl: fix missing negative dentry check in ovl_rename()
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=2013242
+Notes:
+Bugs:
+upstream: released (5.15-rc5) [a295aef603e109a47af355477326bd41151765b6]
+5.10-upstream-stable: released (5.10.73) [9763ffd4da217adfcbdcd519e9f434dfa3952fc3]
+4.19-upstream-stable: released (4.19.211) [9d4969d8b5073d02059bae3f1b8d9a20cf023c55]
+4.9-upstream-stable: released (4.9.287) [286f94453fb34f7bd6b696861c89f9a13f498721]
+sid: released (5.14.12-1)
+5.10-bullseye-security: released (5.10.84-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.290-1)
diff --git a/retired/CVE-2021-20322 b/retired/CVE-2021-20322
new file mode 100644
index 000000000..d5917886c
--- /dev/null
+++ b/retired/CVE-2021-20322
@@ -0,0 +1,27 @@
+Description: new DNS Cache Poisoning Attack based on ICMP fragment needed packets replies
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=2014230
+ https://lore.kernel.org/stable/YXwNmcIcmOYTRhG2@kroah.com/T/#m0104263473be2806725abb19a30d6288da622898
+Notes:
+ carnil> Backports for 4.19.y and 4.9.y seems incomplete for the time
+ carnil> beeing and only have the "ipv4: make exception cache less
+ carnil> predictible" patch.
+ bwh> Introduced for ipv4 in 3.6 by commit 4895c771c7f0 "ipv4: Add FIB nexthop
+ bwh> exceptions."
+ bwh> Introduced For ipv6 in 4.15 by commits 35732d01fe31 "ipv6: introduce a
+ bwh> hash table to store dst cache" and 2b760fcf5cfb "ipv6: hook up exception
+ bwh> table to store dst cache".
+ bwh> So for the 4.9 branches only ipv4 needs to be fixed.
+ carnil> For 4.19.y additionally required
+ carnil> ipv4: use siphash instead of Jenkins in fnhe_hashfun()
+ carnil> ipv6: use siphash in rt6_exception_hash()
+ carnil> ipv6: make exception cache less predictible
+Bugs:
+upstream: released (5.14) [4785305c05b25a242e5314cc821f54ade4c18810, 6457378fe796815c973f631a1904e147d6ee33b1], released (5.15-rc1) [a00df2caffed3883c341d5685f830434312e4a43, 67d6d681e15b578c1725bad8ad079e05d1c48a8e]
+5.10-upstream-stable: released (5.10.62) ]dced8347a727528b388f04820f48166f1e651af6, beefd5f0c63a31a83bc5a99e6888af884745684b], released (5.10.65) [8692f0bb29927d13a871b198adff1d336a8d2d00, 5867e20e1808acd0c832ddea2587e5ee49813874]
+4.19-upstream-stable: released (4.19.207) [3e6bd2b583f18da9856fc9741ffa200a74a52cba], released (4.19.215) [6e2856767eb1a9cfcfcd82136928037f04920e97, ad829847ad59af8e26a1f1c345716099abbc7a58, c6d0d68d6da68159948cad3d808d61bb291a0283]
+4.9-upstream-stable: released (4.9.283) [f10ce783bcc4d8ea454563a7d56ae781640e7dcb]
+sid: released (5.14.6-1)
+5.10-bullseye-security: released (5.10.70-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.290-1)
diff --git a/retired/CVE-2021-28711 b/retired/CVE-2021-28711
new file mode 100644
index 000000000..d5df51340
--- /dev/null
+++ b/retired/CVE-2021-28711
@@ -0,0 +1,15 @@
+Description: Rogue backends can cause DoS of guests via high frequency events (blkfront)
+References:
+ https://xenbits.xen.org/xsa/advisory-391.html
+ https://xenbits.xen.org/xsa/xsa391-linux-1.patch
+Notes:
+ carnil> Fixed as well in 5.15.11 for 5.15.y.
+Bugs:
+upstream: released (5.16-rc7) [0fd08a34e8e3b67ec9bd8287ac0facf8374b844a]
+5.10-upstream-stable: released (5.10.88) [8ac3b6ee7c9ff2df7c99624bb1235e2e55623825]
+4.19-upstream-stable: released (4.19.222) [269d7124bcfad2558d2329d0fe603ca20b20d3f4]
+4.9-upstream-stable: released (4.9.294) [25898389795bd85d8e1520c0c75c3ad906c17da7]
+sid: released (5.15.15-1)
+5.10-bullseye-security: released (5.10.92-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2021-28712 b/retired/CVE-2021-28712
new file mode 100644
index 000000000..de8b6230c
--- /dev/null
+++ b/retired/CVE-2021-28712
@@ -0,0 +1,15 @@
+Description: Rogue backends can cause DoS of guests via high frequency events (netfront)
+References:
+ https://xenbits.xen.org/xsa/advisory-391.html
+ https://xenbits.xen.org/xsa/xsa391-linux-2.patch
+Notes:
+ carnil> Fixed as well in 5.15.11 for 5.15.y.
+Bugs:
+upstream: released (5.16-rc7) [b27d47950e481f292c0a5ad57357edb9d95d03ba]
+5.10-upstream-stable: released (5.10.88) [d31b3379179d64724d3bbfa87bd4ada94e3237de]
+4.19-upstream-stable: released (4.19.222) [3559ca594f15fcd23ed10c0056d40d71e5dab8e5]
+4.9-upstream-stable: released (4.9.294) [99120c8230fdd5e8b72a6e4162db9e1c0a61954a]
+sid: released (5.15.15-1)
+5.10-bullseye-security: released (5.10.92-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2021-28713 b/retired/CVE-2021-28713
new file mode 100644
index 000000000..842250798
--- /dev/null
+++ b/retired/CVE-2021-28713
@@ -0,0 +1,15 @@
+Description: Rogue backends can cause DoS of guests via high frequency events (hvc_xen (console))
+References:
+ https://xenbits.xen.org/xsa/advisory-391.html
+ https://xenbits.xen.org/xsa/xsa391-linux-3.patch
+Notes:
+ carnil> For 5.15.y fixed as well in 5.15.11.
+Bugs:
+upstream: released (5.16-rc7) [fe415186b43df0db1f17fa3a46275fd92107fe71]
+5.10-upstream-stable: released (5.10.88) [8fa3a370cc2af858a9ba662ca4f2bd0917550563]
+4.19-upstream-stable: released (4.19.222) [57e46acb3b48ea4e8efb1e1bea2e89e0c6cc43e2]
+4.9-upstream-stable: released (4.9.294) [728389c21176b2095fa58e858d5ef1d2f2aac429]
+sid: released (5.15.15-1)
+5.10-bullseye-security: released (5.10.92-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2021-28714 b/retired/CVE-2021-28714
new file mode 100644
index 000000000..d6d8c5678
--- /dev/null
+++ b/retired/CVE-2021-28714
@@ -0,0 +1,17 @@
+Description: Guest can force Linux netback driver to hog large amounts of kernel memory
+References:
+ https://xenbits.xen.org/xsa/advisory-392.html
+ https://xenbits.xen.org/xsa/xsa392-linux-1.patch
+Notes:
+ carnil> Commit fixes 1d5d48523900 ("xen-netback: require fewer guest Rx
+ carnil> slots when not using GSO") in 4.3-rc1.
+ carnil> Fixed as well in 5.15.11 for 5.15.y.
+Bugs:
+upstream: released (5.16-rc7) [6032046ec4b70176d247a71836186d47b25d1684]
+5.10-upstream-stable: released (5.10.88) [525875c410df5d876b9615c44885ca7640aed6f2]
+4.19-upstream-stable: released (4.19.222) [1de7644eac41981817fb66b74e0f82ca4477dc9d]
+4.9-upstream-stable: released (4.9.294) [1f66dc775092e5a353e0155fc3aca5dabce77c63]
+sid: released (5.15.15-1)
+5.10-bullseye-security: released (5.10.92-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2021-28715 b/retired/CVE-2021-28715
new file mode 100644
index 000000000..273097922
--- /dev/null
+++ b/retired/CVE-2021-28715
@@ -0,0 +1,17 @@
+Description: Guest can force Linux netback driver to hog large amounts of kernel memory
+References:
+ https://xenbits.xen.org/xsa/advisory-392.html
+ https://xenbits.xen.org/xsa/xsa392-linux-2.patch
+Notes:
+ carnil> Commit fixes f48da8b14d04 ("xen-netback: fix unlimited guest Rx
+ carnil> internal queue and carrier flapping").
+ carnil> For 5.15.y fixed as well in 5.15.11.
+Bugs:
+upstream: released (5.16-rc7) [be81992f9086b230623ae3ebbc85ecee4d00a3d3]
+5.10-upstream-stable: released (5.10.88) [88f20cccbeec9a5e83621df5cc2453b5081454dc]
+4.19-upstream-stable: released (4.19.222) [c9f17e92917fd5786be872626a3928979ecc4c39]
+4.9-upstream-stable: released (4.9.294) [b4226b387436315e7f57465c15335f4f4b5b075d]
+sid: released (5.15.15-1)
+5.10-bullseye-security: released (5.10.92-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2021-28950 b/retired/CVE-2021-28950
new file mode 100644
index 000000000..18e926a5e
--- /dev/null
+++ b/retired/CVE-2021-28950
@@ -0,0 +1,18 @@
+Description: fuse: fix live lock in fuse_iget()
+References:
+Notes:
+ carnil> Commit fixes 5d069dbe8aaf ("fuse: fix bad inode") which is only
+ carnil> present in 5.4.88, 5.10.6 and 5.11-rc1 so might not affect
+ carnil> older versions.
+ bwh> Commit 5d069dbe8aaf "fuse: fix bad inode" fixed another DoS issue,
+ bwh> so we'll need to backport both of them.
+ carnil> The 5d069dbe8aaf "fuse: fix bad inode" is CVE-2020-36322.
+Bugs:
+upstream: released (5.12-rc4) [775c5033a0d164622d9d10dd0f0a5531639ed3ed]
+5.10-upstream-stable: released (5.10.25) [d955f13ea2120269319d6133d0dd82b66d1eeca3]
+4.19-upstream-stable: released (4.19.226) [8a8908cb82568c71b672e83d834e8b59ccf75f8e]
+4.9-upstream-stable: released (4.9.298) [fde32bbe9a540af28579da6480fc55cc50099ece]
+sid: released (5.10.24-1) [bugfix/all/fuse-fix-live-lock-in-fuse_iget.patch]
+5.10-bullseye-security: N/A "Fixed before branching point"
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.272-1) [bugfix/all/fuse-fix-live-lock-in-fuse_iget.patch]
diff --git a/retired/CVE-2021-29264 b/retired/CVE-2021-29264
new file mode 100644
index 000000000..14e831ba4
--- /dev/null
+++ b/retired/CVE-2021-29264
@@ -0,0 +1,15 @@
+Description: gianfar: fix jumbo packets+napi+rx overrun crash
+References:
+Notes:
+ bwh> Introduced in 4.8 by commit 6c389fc931bc "gianfar: fix size of
+ bwh> scatter-gathered frames".
+ bwh> Driver is not enabled by any Debian official config.
+Bugs:
+upstream: released (5.12-rc3) [d8861bab48b6c1fc3cdbcab8ff9d1eaea43afe7f]
+5.10-upstream-stable:  released (5.10.27) [b8bfda6e08b8a419097eea5a8e57671bc36f9939]
+4.19-upstream-stable: released (4.19.184) [9943741c2792a7f1d091aad38f496ed6eb7681c4]
+4.9-upstream-stable: released (4.9.298) [2cf34285e6eac396a180762c5504e2911df88c9a]
+sid: released (5.10.28-1)
+5.10-bullseye-security: N/A "Fixed before branching point"
+4.19-buster-security: released (4.19.194-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2021-33033 b/retired/CVE-2021-33033
new file mode 100644
index 000000000..ce1e73191
--- /dev/null
+++ b/retired/CVE-2021-33033
@@ -0,0 +1,22 @@
+Description: cipso,calipso: resolve a number of problems with the DOI refcounts
+References:
+ https://sites.google.com/view/syzscope/kasan-use-after-free-read-in-cipso_v4_genopt
+ https://syzkaller.appspot.com/bug?id=96e7d345748d8814901c91cd92084ed04b46701e
+Notes:
+ carnil> First commit required landed in 4.19.181, 5.10.24, 5.12-rc3.
+ carnil> Second one in 4.19.187, 5.10.30, 5.12-rc7.
+ bwh> The "second commit" in ieee802154 (1165affd4848) is fixing a
+ bwh> totally different issue.  These components are part of Netlabel
+ bwh> which was only enabled by Debian official configs since version
+ bwh> 5.6.7-1.
+ carnil> The "second comit" is indeed a completely different issue, and
+ carnil> got CVE-2021-3659 assigned.
+Bugs:
+upstream: released (5.12-rc7) [ad5d07f4a9cd671233ae20983848874731102c08]
+5.10-upstream-stable: released (5.10.24) [85178d76febd30a745b7d947dbd9751919d0fa5b]
+4.19-upstream-stable: released (4.19.181) [a44af1c69737f9e64d5134c34eb9d5c4c2e04da1]
+4.9-upstream-stable: released (4.9.298) [f49f0e65a95664b648e058aa923f651ec08dfeb7]
+sid: released (5.10.24-1)
+5.10-bullseye-security: N/A "Fixed before branching point"
+4.19-buster-security: released (4.19.181-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2021-3640 b/retired/CVE-2021-3640
new file mode 100644
index 000000000..9442849a7
--- /dev/null
+++ b/retired/CVE-2021-3640
@@ -0,0 +1,22 @@
+Description: UAF in sco_send_frame function
+References:
+ https://www.openwall.com/lists/oss-security/2021/07/22/1
+ https://bugzilla.suse.com/show_bug.cgi?id=1188172
+ https://x-lore.kernel.org/all/883dc4b7-d1a1-3d31-a5a8-8fa1791084b6@i-love.sakura.ne.jp/
+Notes:
+ carnil> Prerequisites before the "last piece for fixing CVE-2021-3640"
+ carnil> are e04480920d1e ("Bluetooth: defer cleanup of resources in
+ carnil> hci_unregister_dev()") and 734bc5ff7831 ("Bluetooth: avoid
+ carnil> circular locks in sco_sock_connect"), ba316be1b6a0 ("Bluetooth:
+ carnil> schedule SCO timeouts with delayed_work"), 27c24fda62b6
+ carnil> ("Bluetooth: switch to lock_sock in SCO")
+ carnil> For 5.15.y fixed as well in 5.15.3
+Bugs:
+upstream: released (5.16-rc1) [99c23da0eed4fd20cae8243f2b51e10e66aa0951]
+5.10-upstream-stable: released (5.10.80) [4dfba42604f08a505f1a1efc69ec5207ea6243de]
+4.19-upstream-stable: released (4.19.218) [c1c913f797f3d2441310182ad75b7bd855a327ff]
+4.9-upstream-stable: released (4.9.291) [9bbe312ebea40c9b586c2b07a0d0948ff418beca]
+sid: released (5.15.3-1)
+5.10-bullseye-security: released (5.10.84-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2021-3744 b/retired/CVE-2021-3744
new file mode 100644
index 000000000..47438db16
--- /dev/null
+++ b/retired/CVE-2021-3744
@@ -0,0 +1,16 @@
+Description: crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=2000627
+ https://www.openwall.com/lists/oss-security/2021/09/14/1
+Notes:
+ bwh> Introduced in 4.12 by commit 36cf515b9bbe "crypto: ccp - Enable support
+ bwh> for AES GCM on v5 CCPs".
+Bugs:
+upstream: released (5.15-rc4) [505d9dcb0f7ddf9d075e729523a33d38642ae680]
+5.10-upstream-stable: released (5.10.71) [17ccc64e4fa5d3673528474bfeda814d95dc600a]
+4.19-upstream-stable: released (4.19.209) [710be7c42d2f724869e5b18b21998ceddaffc4a9]
+4.9-upstream-stable: N/A "Vulnerability introduced later"
+sid: released (5.14.12-1)
+5.10-bullseye-security: released (5.10.84-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: N/A "Vulnerability introduced later"
diff --git a/retired/CVE-2021-3752 b/retired/CVE-2021-3752
new file mode 100644
index 000000000..dd73c6773
--- /dev/null
+++ b/retired/CVE-2021-3752
@@ -0,0 +1,18 @@
+Description: UAF in bluetooth
+References:
+ https://www.openwall.com/lists/oss-security/2021/09/15/4
+ https://bugzilla.suse.com/show_bug.cgi?id=1190023
+ https://lore.kernel.org/lkml/20210714031733.1395549-1-bobo.shaobowang@huawei.com/
+Notes:
+ carnil> With the presence of 3af70b39fa2d ("Bluetooth: check for zapped
+ carnil> sk before connecting") in 5.13-rc1 (and 5.10.38, 4.19.191) this
+ carnil> bug is not easy to trigger itself.
+Bugs:
+upstream: released (5.16-rc1) [1bff51ea59a9afb67d2dd78518ab0582a54a472c]
+5.10-upstream-stable: released (5.10.80) [c10465f6d6208db2e45a6dac1db312b9589b2583]
+4.19-upstream-stable: released (4.19.218) [72bb30165337b7bce77578ad151fbfab6c8e693c]
+4.9-upstream-stable: released (4.9.291) [d19ea7da0eeb61be28ec05d8b8bddec3dde71610]
+sid: released (5.15.3-1)
+5.10-bullseye-security: released (5.10.84-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2021-3760 b/retired/CVE-2021-3760
new file mode 100644
index 000000000..fbf47f7e7
--- /dev/null
+++ b/retired/CVE-2021-3760
@@ -0,0 +1,18 @@
+Description: nfc: nci: fix the UAF of rf_conn_info object
+References:
+ https://www.openwall.com/lists/oss-security/2021/10/26/2
+Notes:
+ carnil> Fixed as well in 5.14.15 for 5.14.y.
+ bwh> Introduced in 4.0 by commits 12bdf27d46c9 "NFC: nci: Add reference to
+ bwh> the RF logical connection" and 15d4a8da0e44 "NFC: nci: Move logical
+ bwh> connection structure allocation".
+ carnil> CONFIG_NFC_NCI is not set in Debian.
+Bugs:
+upstream: released (5.15-rc6) [1b1499a817c90fd1ce9453a2c98d2a01cca0e775]
+5.10-upstream-stable: released (5.10.76) [77c0ef979e32b8bc22f36a013bab77cd37e31530]
+4.19-upstream-stable: released (4.19.214) [1ac0d736c8ae9b59ab44e4e80ad73c8fba5c6132]
+4.9-upstream-stable: released (4.9.288) [8a44904ce83ebcb1281b04c8d37ad7f8ab537a3d]
+sid: released (5.14.16-1)
+5.10-bullseye-security: released (5.10.84-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.290-1)
diff --git a/retired/CVE-2021-3764 b/retired/CVE-2021-3764
new file mode 100644
index 000000000..437f5019e
--- /dev/null
+++ b/retired/CVE-2021-3764
@@ -0,0 +1,16 @@
+Description: DoS in ccp_run_aes_gcm_cmd() function
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1997467
+Notes:
+ carnil> Patch for CVE-2021-3744 contains fix as well for this issue.
+ bwh> Introduced in 4.12 by commit 36cf515b9bbe "crypto: ccp - Enable support
+ bwh> for AES GCM on v5 CCPs".
+Bugs:
+upstream: released (5.15-rc4) [505d9dcb0f7ddf9d075e729523a33d38642ae680]
+5.10-upstream-stable: released (5.10.71) [17ccc64e4fa5d3673528474bfeda814d95dc600a]
+4.19-upstream-stable: released (4.19.209) [710be7c42d2f724869e5b18b21998ceddaffc4a9]
+4.9-upstream-stable: N/A "Vulnerability introduced later"
+sid: released (5.14.12-1)
+5.10-bullseye-security: released (5.10.84-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: N/A "Vulnerability introduced later"
diff --git a/retired/CVE-2021-39685 b/retired/CVE-2021-39685
new file mode 100644
index 000000000..5229b8716
--- /dev/null
+++ b/retired/CVE-2021-39685
@@ -0,0 +1,14 @@
+Description: Linux Kernel USB Gadget buffer overflow
+References:
+ https://www.openwall.com/lists/oss-security/2021/12/15/4
+Notes:
+ carnil> Fixed as well in 5.15.8 for 5.15.y.
+Bugs:
+upstream: released (5.16-rc5) [153a2d7e3350cc89d406ba2d35be8793a64c2038, 86ebbc11bb3f60908a51f3e41a17e3f477c2eaa3]
+5.10-upstream-stable: released (5.10.85) [7193ad3e50e596ac2192531c58ba83b9e6d2444b, e4de8ca013f06ad4a0bf40420a291c23990e4131]
+4.19-upstream-stable: released (4.19.221) [13e45e7a262dd96e8161823314679543048709b9, 32de5efd483db68f12233fbf63743a2d92f20ae4]
+4.9-upstream-stable: released (4.9.293) [d2ca6859ea96c6d4c6ad3d6873a308a004882419, e4de8ca013f06ad4a0bf40420a291c23990e4131]
+sid: released (5.15.5-2) [bugfix/all/USB-gadget-detect-too-big-endpoint-0-requests.patch, bugfix/all/USB-gadget-zero-allocate-endpoint-0-buffers.patch]
+5.10-bullseye-security: released (5.10.92-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2021-39686 b/retired/CVE-2021-39686
new file mode 100644
index 000000000..866327d4d
--- /dev/null
+++ b/retired/CVE-2021-39686
@@ -0,0 +1,13 @@
+Description:
+References:
+ https://source.android.com/security/bulletin/2022-03-01
+Notes:
+Bugs:
+upstream: released (5.16-rc1) [29bc22ac5e5bc63275e850f0c8fc549e3d0e306b, 52f88693378a58094c538662ba652aff0253c4fe, 4d5b5539742d2554591751b4248b0204d20dcc9d, c21a80ca0684ec2910344d72556c816cb8940c01]
+5.10-upstream-stable: released (5.10.80) [bd9cea41ac6e08f615030dea28b23e12b7a2674f, 0d9f4ae7cd6f5283dd0e343265268c695ef592b0, afbec52fbce006a775edb21f87ccae713bc0e7d6], released (5.10.83) [4402cf0402526f7c5befa97481be13b131797838]
+4.19-upstream-stable: released (4.19.218) [5d40061285b81a7e213dc9b37acc4a0545eedf32, e82f3f9638f17d58e9a217bce127e2376aefcb9d], released (4.19.219) [c3b9f29fca6682550d731c80745b421415c1e0af]
+4.9-upstream-stable: released (4.9.291) [443fc43d2fdbf55be7aa86faae1f7655e761e683, 22d4a6dacee058b58640ef8109b0c8fc5d1b80e2], released (4.9.292) [404fb1097298690b1d7d1c59eab806bbdd757267]
+sid: released (5.15.15-1)
+5.10-bullseye-security: released (5.10.84-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2021-39698 b/retired/CVE-2021-39698
new file mode 100644
index 000000000..1cd1d5fb3
--- /dev/null
+++ b/retired/CVE-2021-39698
@@ -0,0 +1,13 @@
+Description:
+References:
+ https://source.android.com/security/bulletin/2022-03-01
+Notes:
+Bugs:
+upstream: released (5.16-rc5) [42288cb44c4b5fff7653bc392b583a2b8bd6a8c0, a880b28a71e39013e357fd3adccd1d8a31bc69a8, 9537bae0da1f8d1e2361ab6d0479e8af7824e160, 363bee27e25804d8981dd1c025b4ad49dc39c530, 50252e4b5e989ce64555c7aef7516bdefc2fea72]
+5.10-upstream-stable: released (5.10.85) [8e04c8397bf98235b1aa41153717de7a05e652a2, 9f3acee7eac8d8690134b09ba55e2c12164d24ae, fc2f636ffc446d8e9530e441897f877922269051, e4d19740bccab792f16c7ca6fd1f9aea06193cb2, 47ffefd88abfffe8a040bcc1dd0554d4ea6f7689]
+4.19-upstream-stable: released (4.19.221) [8dd7c46a59756bdc29cb9783338b899cd3fb4b83, 32288f504035b6c359cc33ee615f74f14be2e38a, f226fdd855b7d9c1f2a6e878d82eb3e1fbc880e9, 580c7e023303ce3a187adcaa40868bfc740725d2, 321fba81ec034f88aea4898993c1bf15605c023f]
+4.9-upstream-stable: released (4.9.293) [0e92a7e47a0411d5208990c83a3d200515e314e8, 0487ea896e62b5a90a81ac6e73c35e595d77f499, 5ecb4e93d70a21f3b7094029986ef0c3e321f56c]
+sid: released (5.15.15-1)
+5.10-bullseye-security: released (5.10.92-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2021-39714 b/retired/CVE-2021-39714
new file mode 100644
index 000000000..52109ef29
--- /dev/null
+++ b/retired/CVE-2021-39714
@@ -0,0 +1,16 @@
+Description:
+References:
+ https://source.android.com/security/bulletin/pixel/2022-03-01
+Notes:
+ carnil> ion driver removing from the tree in 5.11-rc1. Earlier the
+ carnil> affected code was removed with e3b914bc7eb6 ("staging: android:
+ carnil> ion: Drop ion_map_kernel interface") in 4.12-rc1.
+Bugs:
+upstream: released (4.12-rc1) [e3b914bc7eb6bcecc5b597ee6e31fc40442c291f]
+5.10-upstream-stable: N/A "Fixed before branching point"
+4.19-upstream-stable: N/A "Fixed before branching point"
+4.9-upstream-stable: released (4.9.292) [16b34e53eaadda6cbb1f0452fd99700c44db23be]
+sid: released (4.12.6-1)
+5.10-bullseye-security: N/A "Fixed before branching point"
+4.19-buster-security: N/A "Fixed before branching point"
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2021-4002 b/retired/CVE-2021-4002
new file mode 100644
index 000000000..307fe96a4
--- /dev/null
+++ b/retired/CVE-2021-4002
@@ -0,0 +1,16 @@
+Description: hugetlbfs: flush TLBs correctly after huge_pmd_unshare
+References:
+ https://www.openwall.com/lists/oss-security/2021/11/25/1
+Notes:
+ carnil> For 5.16-rc1 onwards only additionally there is 13e4ad2ce8df
+ carnil> ("hugetlbfs: flush before unlock on
+ carnil> move_hugetlb_page_tables()") to be applied.
+Bugs:
+upstream: released (5.16-rc3) [a4a118f2eead1d6c49e00765de89878288d4b890]
+5.10-upstream-stable: released (5.10.82) [40bc831ab5f630431010d1ff867390b07418a7ee]
+4.19-upstream-stable: released (4.19.219) [b0313bc7f5fbb6beee327af39d818ffdc921821a]
+4.9-upstream-stable: released (4.9.292) [8e80bf5d001594b037de04fb4fe89f34cfbcb3ba]
+sid: released (5.15.5-1)
+5.10-bullseye-security: released (5.10.84-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2021-4083 b/retired/CVE-2021-4083
new file mode 100644
index 000000000..7bea8215c
--- /dev/null
+++ b/retired/CVE-2021-4083
@@ -0,0 +1,15 @@
+Description: fget: check that the fd still exists after getting a ref to it
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=2029923
+ https://bugs.chromium.org/p/project-zero/issues/detail?id=2247
+Notes:
+ carnil> Fixed as weil in 5.15.7 for 5.15.y.
+Bugs:
+upstream: released (5.16-rc4) [054aa8d439b9185d4f5eb9a90282d1ce74772969]
+5.10-upstream-stable: released (5.10.84) [4baba6ba56eb91a735a027f783cc4b9276b48d5b]
+4.19-upstream-stable: released (4.19.220) [8bf31f9d9395b71af3ed33166a057cd3ec0c59da]
+4.9-upstream-stable: released (4.9.292) [a043f5a600052dc93bc3d7a6a2c1592b6ee77482]
+sid: released (5.15.5-2) [bugfix/all/fget-check-that-the-fd-still-exists-after-getting-a-.patch]
+5.10-bullseye-security: released (5.10.84-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2021-4135 b/retired/CVE-2021-4135
new file mode 100644
index 000000000..afb593ef9
--- /dev/null
+++ b/retired/CVE-2021-4135
@@ -0,0 +1,17 @@
+Description: netdevsim: Zero-initialize memory for new map's value in function nsim_bpf_map_alloc
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=2026786
+Notes:
+ carnil> Commit fixes 395cacb5f1a0 ("netdevsim: bpf: support fake map
+ carnil> offload") in 4.16-rc1.
+ carnil> Fixed as well in 5.15.11 for 5.15.y.
+ carnil> CONFIG_NETDEVSIM is not set is not set in Debian
+Bugs:
+upstream: released (5.16-rc6) [481221775d53d6215a6e5e9ce1cce6d2b4ab9a46]
+5.10-upstream-stable: released (5.10.88) [1a34fb9e2bf3029f7c0882069d67ff69cbd645d8]
+4.19-upstream-stable: released (4.19.222) [d861443c4dc88650eed113310d933bd593d37b23]
+4.9-upstream-stable: N/A "Vulnerable code introduced later"
+sid: released (5.15.15-1)
+5.10-bullseye-security: released (5.10.92-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: N/A "Vulnerable code introduced later"
diff --git a/retired/CVE-2021-4155 b/retired/CVE-2021-4155
new file mode 100644
index 000000000..932a7f337
--- /dev/null
+++ b/retired/CVE-2021-4155
@@ -0,0 +1,15 @@
+Description: xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like fallocate
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=2034813
+ https://www.openwall.com/lists/oss-security/2022/01/10/1
+Notes:
+ carnil> Fixed as well in 5.15.14 for 5.15.y.
+Bugs:
+upstream: released (5.16) [983d8e60f50806f90534cc5373d0ce867e5aaf79]
+5.10-upstream-stable: released (5.10.91) [16d8568378f9ee2d1e69216d39961aa72710209f]
+4.19-upstream-stable: released (4.19.225) [1c3564fca0e7b8c9e96245a2cb35e198b036ee9a]
+4.9-upstream-stable: released (4.9.297) [19e3d9a26f28f432ae89acec22ec47b2a72a502c]
+sid: released (5.15.15-1)
+5.10-bullseye-security: released (5.10.92-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2021-41864 b/retired/CVE-2021-41864
new file mode 100644
index 000000000..baa295947
--- /dev/null
+++ b/retired/CVE-2021-41864
@@ -0,0 +1,17 @@
+Description: bpf: Fix integer overflow in prealloc_elems_and_freelist()
+References:
+ https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=30e29a9a2bc6a4888335a6ede968b75cd329657a
+ https://lore.kernel.org/bpf/728b238e-a481-eb50-98e9-b0f430ab01e7@gmail.com/
+Notes:
+ carnil> Commit fixes 557c0c6e7df8 ("bpf: convert stackmap to pre-
+ carnil> allocation").
+ carnil> Fixed as well in 5.14.12 in the 5.14.y series.
+Bugs:
+upstream: released (5.15-rc5) [30e29a9a2bc6a4888335a6ede968b75cd329657a]
+5.10-upstream-stable: released (5.10.73) [064faa8e8a9b50f5010c5aa5740e06d477677a89]
+4.19-upstream-stable: released (4.19.211) [078cdd572408176a3900a6eb5a403db0da22f8e0]
+4.9-upstream-stable: released (4.9.287) [4fd6663eb01bc3c73143cd27fefd7b8351bc6aa6]
+sid: released (5.14.12-1)
+5.10-bullseye-security: released (5.10.84-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.290-1)
diff --git a/retired/CVE-2021-4202 b/retired/CVE-2021-4202
new file mode 100644
index 000000000..95ef54c08
--- /dev/null
+++ b/retired/CVE-2021-4202
@@ -0,0 +1,14 @@
+Description: Race condition in nci_request() leads to use after free while the device is getting removed
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=2036682
+Notes:
+ carnil> CONFIG_NFC_NCI not enabled in Debian.
+Bugs:
+upstream: released (5.16-rc2) [86cdf8e38792545161dbe3350a7eced558ba4d15, 48b71a9e66c2eab60564b1b1c85f4928ed04e406]
+5.10-upstream-stable: released (5.10.82) [cb14b196d991c864ed2d1b6e79d68a7ce38e6538, 34e54703fb0fdbfc0a3cfc065d71e9a8353d3ac9]
+4.19-upstream-stable: released (4.19.218) [62be2b1e7914b7340281f09412a7bbb62e6c8b67], (4.19.219) 2350cffd71e74bf81dedc989fdec12aebe89a4a5]
+4.9-upstream-stable: released (4.9.291) [4a59a3681158a182557c75bacd00d184f9b2a8f5], (4.9.292) [57c076e64ab55adf556cc515914564d61979f7c2]
+sid: released (5.15.5-1)
+5.10-bullseye-security: released (5.10.84-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2021-4203 b/retired/CVE-2021-4203
new file mode 100644
index 000000000..ec6f6bc46
--- /dev/null
+++ b/retired/CVE-2021-4203
@@ -0,0 +1,17 @@
+Description: af_unix: fix races in sk_peer_pid and sk_peer_cred accesses
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=2036934
+ https://lore.kernel.org/netdev/20210929225750.2548112-1-eric.dumazet@gmail.com/T/
+ https://bugs.chromium.org/p/project-zero/issues/detail?id=2230
+Notes:
+ carnil> Commit fixes 109f6e39fa07 ("af_unix: Allow SO_PEERCRED to work
+ carnil> across namespaces.").
+Bugs:
+upstream: released (5.15-rc4) [35306eb23814444bd4021f8a1c3047d3cb0c8b2b]
+5.10-upstream-stable: released (5.10.71) [3db53827a0e9130d9e2cbe3c3b5bca601caa4c74]
+4.19-upstream-stable: released (4.19.209) [0512a9aede6e4417c4fa6e0042a7ca8bc7e06b86]
+4.9-upstream-stable: released (4.9.286) [09818f629bafbe20e24bac919019853ea3ac5ca4]
+sid: released (5.14.12-1)
+5.10-bullseye-security: released (5.10.84-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.290-1)
diff --git a/retired/CVE-2021-42739 b/retired/CVE-2021-42739
new file mode 100644
index 000000000..7dfd3bdf4
--- /dev/null
+++ b/retired/CVE-2021-42739
@@ -0,0 +1,16 @@
+Description: media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt()
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1951739
+ https://www.openwall.com/lists/oss-security/2021/04/20/1
+ https://lore.kernel.org/linux-media/YHaulytonFcW+lyZ@mwanda/
+ https://lore.kernel.org/linux-media/20210913152302.76d57784@coco.lan/
+Notes:
+Bugs:
+upstream: released (5.16-rc1) [35d2969ea3c7d32aee78066b1f3cf61a0d935a4e]
+5.10-upstream-stable: released (5.10.78) [d7fc85f6104259541ec136199d3bf7c8a736613d]
+4.19-upstream-stable: released (4.19.216) [53ec9dab4eb0a8140fc85760fb50effb526fe219]
+4.9-upstream-stable: released (4.9.299) [1795af6435fa5f17ced2d34854fd4871e0780092]
+sid: released (5.14.16-1) [bugfix/all/media-firewire-firedtv-avc-fix-a-buffer-overflow-in-.patch]
+5.10-bullseye-security: released (5.10.84-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.290-1) [bugfix/all/media-firewire-firedtv-avc-fix-a-buffer-overflow-in-.patch]
diff --git a/retired/CVE-2021-43389 b/retired/CVE-2021-43389
new file mode 100644
index 000000000..bd1b7e471
--- /dev/null
+++ b/retired/CVE-2021-43389
@@ -0,0 +1,17 @@
+Description: isdn: cpai: check ctr->cnr to avoid array index out of bound
+References:
+ https://www.openwall.com/lists/oss-security/2021/10/19/1
+ https://lore.kernel.org/netdev/CAFcO6XOvGQrRTaTkaJ0p3zR7y7nrAWD79r48=L_BbOyrK9X-vA@mail.gmail.com/
+Notes:
+ carnil> Fixed as well in 5.14.15 in 5.14.y.
+ bwh> This seems to really be a bug in the Bluetooth CMTP subsystem, which has
+ bwh> been present since that was added in Linux 2.6.2.
+Bugs:
+upstream: released (5.15-rc6) [1f3e2e97c003f80c4b087092b225c8787ff91e4d]
+5.10-upstream-stable: released (5.10.76) [7f221ccbee4ec662e2292d490a43ce6c314c4594]
+4.19-upstream-stable: released (4.19.214) [7d91adc0ccb060ce564103315189466eb822cc6a]
+4.9-upstream-stable: released (4.9.288) [24219a977bfe3d658687e45615c70998acdbac5a]
+sid: released (5.14.16-1)
+5.10-bullseye-security: released (5.10.84-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.290-1)
diff --git a/retired/CVE-2021-43976 b/retired/CVE-2021-43976
new file mode 100644
index 000000000..8c5e07d0b
--- /dev/null
+++ b/retired/CVE-2021-43976
@@ -0,0 +1,15 @@
+Description: mwifiex_usb: Fix skb_over_panic in mwifiex_usb_recv
+References:
+ https://patchwork.kernel.org/project/linux-wireless/patch/YX4CqjfRcTa6bVL+@Zekuns-MBP-16.fios-router.home/
+ https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next.git/commit/?id=04d80663f67ccef893061b49ec8a42ff7045ae84
+Notes:
+ carnil> Fixed as well in 5.15.17 for 5.15.y.
+Bugs:
+upstream: released (5.17-rc1) [04d80663f67ccef893061b49ec8a42ff7045ae84]
+5.10-upstream-stable: released (5.10.94) [6036500fdf77caaca9333003f78d25a3d61c4e40]
+4.19-upstream-stable: released (4.19.226) [2f4b037bf6e8c663a593b8149263c5b6940c7afd]
+4.9-upstream-stable: released (4.9.298) [b233d7395cd104398dd83f130df5f0d57036c95e]
+sid: released (5.15.15-2) [bugfix/x86/mwifiex-Fix-skb_over_panic-in-mwifiex_usb_recv.patch]
+5.10-bullseye-security: released (5.10.92-2) [bugfix/x86/mwifiex-Fix-skb_over_panic-in-mwifiex_usb_recv.patch]
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2021-44733 b/retired/CVE-2021-44733
new file mode 100644
index 000000000..d4431c920
--- /dev/null
+++ b/retired/CVE-2021-44733
@@ -0,0 +1,14 @@
+Description: tee: handle lookup of shm with reference count 0
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=2030747
+ https://lore.kernel.org/lkml/20211214123540.1789434-1-jens.wiklander@linaro.org/
+Notes:
+Bugs:
+upstream: released (5.16-rc7) [dfd0743f1d9ea76931510ed150334d571fbab49d]
+5.10-upstream-stable: released (5.10.89) [c05d8f66ec3470e5212c4d08c46d6cb5738d600d]
+4.19-upstream-stable: released (4.19.224) [b4a661b4212b8fac8853ec3b68e4a909dccc88a1]
+4.9-upstream-stable: N/A "Vulnerable code not present"
+sid: released (5.15.15-1)
+5.10-bullseye-security: released (5.10.92-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: N/A "Vulnerable code not present"
diff --git a/retired/CVE-2021-45095 b/retired/CVE-2021-45095
new file mode 100644
index 000000000..e52acc95c
--- /dev/null
+++ b/retired/CVE-2021-45095
@@ -0,0 +1,14 @@
+Description: phonet: refcount leak in pep_sock_accep
+References:
+ https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=bcd0f93353326954817a4f9fa55ec57fb38acbb0
+Notes:
+ carnil> Fixed as well in 5.15.14 for 5.15.y.
+Bugs:
+upstream: released (5.16-rc6) [bcd0f93353326954817a4f9fa55ec57fb38acbb0]
+5.10-upstream-stable: released (5.10.91) [4f260ea5537db35d2eeec9bca78a74713078a544]
+4.19-upstream-stable: released (4.19.225) [4dece2760af408ad91d6e43afc485d20386c2885]
+4.9-upstream-stable: released (4.9.297) [3bae29ecb2909c46309671090311230239f1bdd7]
+sid: released (5.15.15-1)
+5.10-bullseye-security: released (5.10.92-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2021-45480 b/retired/CVE-2021-45480
new file mode 100644
index 000000000..f4c59a49a
--- /dev/null
+++ b/retired/CVE-2021-45480
@@ -0,0 +1,15 @@
+Description: rds: memory leak in __rds_conn_create()
+References:
+Notes:
+ carnil> commit fixes aced3ce57cd3 ("RDS tcp loopback connection can
+ carnil> hang") in 5.15-rc4 (but was backported to 5.10.44, 4.19.195 in
+ carnil> particular). Fixed as well in 5.15.11 for 5.15.y.
+Bugs:
+upstream: released (5.16-rc6) [5f9562ebe710c307adc5f666bf1a2162ee7977c0]
+5.10-upstream-stable: released (5.10.88) [74dc97dfb276542f12746d706abef63364d816bb]
+4.19-upstream-stable: released (4.19.222) [1ed173726c1a0082e9d77c7d5a85411e85bdd983]
+4.9-upstream-stable: N/A "Vulnerable code not present"
+sid: released (5.15.15-1)
+5.10-bullseye-security: released (5.10.92-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: N/A "Vulnerable code not present"
diff --git a/retired/CVE-2021-45868 b/retired/CVE-2021-45868
new file mode 100644
index 000000000..fd0e3b140
--- /dev/null
+++ b/retired/CVE-2021-45868
@@ -0,0 +1,15 @@
+Description: 
+References:
+ https://bugzilla.kernel.org/show_bug.cgi?id=214655
+ https://www.openwall.com/lists/oss-security/2022/03/17/1
+ https://www.openwall.com/lists/oss-security/2022/03/17/2
+Notes:
+Bugs:
+upstream: released (5.16-rc1) [9bf3d20331295b1ecb81f4ed9ef358c51699a050]
+5.10-upstream-stable: released (5.10.80) [ceeb0a8a8716a1c72af3fa4d4f98c3aced32b037]
+4.19-upstream-stable: released (4.19.218) [e5222c87dc441dcc8a66e93cb3fd34dfff03d3ec]
+4.9-upstream-stable: released (4.9.291) [f7dd331a896700728492e02c20a69e53221cd7a4]
+sid: released (5.15.3-1)
+5.10-bullseye-security: released (5.10.84-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2022-0001 b/retired/CVE-2022-0001
new file mode 100644
index 000000000..5cf3b1ea9
--- /dev/null
+++ b/retired/CVE-2022-0001
@@ -0,0 +1,15 @@
+Description: Sharing of branch predictor selectors between contexts on Intel CPUs
+References:
+ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00598.html
+ https://github.com/vusec/bhi-spectre-bhb
+Notes:
+ bwh> A.k.a. "Spectre BHB".  Details to be published in INTEL-SA-00598
+Bugs:
+upstream: released (5.17-rc8) [d45476d9832409371537013ebdd8dc1a7781f97a, 1e19da8522c81bf46b335f84137165741e0d82b7, 5ad3eb1132453b9795ce5fd4572b1c18b292cca9, 44a3918c8245ab10c6c9719dd12e7a8d291980d8, 244d00b5dd4755f8df892c86cab35fb2cfd4f14b, e9b6013a7ce31535b04b02ba99babefe8a8599fa, eafd987d4a82c7bb5aa12f0e3b4f8f3dea93e678, 0de05d056afdb00eca8c7bbb0c79a3438daf700c]
+5.10-upstream-stable: released (5.10.105) [f38774bb6e231d647d40ceeb8ddf9082eabde667, a6a119d647ad1f73067d3cffb43104df3f920bcc, 071e8b69d7808d96f388d7c5ed606e75fd3d518d, afc2d635b5e18e2b33116d8e121ee149882e33eb, 2fdf67a1d215574c31b1a716f80fa0fdccd401d7, e335384560d1e106b609e8febd7e0427075a8938, cc9e3e55bde71b2fac1494f503d5ffc560c7fb8d, d04937ae94903087279e4a016b7741cdee59d521]
+4.19-upstream-stable: released (4.19.234) [25440a8c77dd2fde6a8e9cfc0c616916febf408e, 3f66bedb96ff4c064a819e68499f79b38297ba26, 7af95ef3ec6248696300fce5c68f6c8c4f50e4a4, 995629e1d8e6751936c6e2b738f70b392b0461de, d3cb3a6927222268a10b2f12dfb8c9444f7cc39e, c034d344e733a3ac574dd09e39e911a50025c607, 8bfdba77595aee5c3e83ed1c9994c35d6d409605, 9711b12a3f4c0fc73dd257c1e467e6e42155a5f1]
+4.9-upstream-stable: released (4.9.306) [a771511caa8e31cb5cac4fa39165ebbca3e62795, d0ba50275860b456ff570edf3dcc2db5d2eb9eb8, f9238d33710d74ac3dd668abaa53b2274f8e6fe6, 6481835a9a5b74e349e5c20ae8a9cb10a2e907fa, b6a1aec08a84ccb331ce526c051df074150cf3c5, 0db1c4307aded2c5e618654f9341a249e0c1051f, 8edabefdc13294a9b15671937d165b948cf34d69, 0753760184745250e39018bb25ba77557390fe91]
+sid: released (5.16.12-1) [bugfix/x86/bhb/0001-x86-speculation-Rename-RETPOLINE_AMD-to-RETPOLINE_LF.patch, bugfix/x86/bhb/0002-x86-speculation-Add-eIBRS-Retpoline-options.patch, bugfix/x86/bhb/0003-Documentation-hw-vuln-Update-spectre-doc.patch, bugfix/x86/bhb/0004-x86-speculation-Include-unprivileged-eBPF-status-in-.patch, bugfix/x86/bhb/0005-x86-speculation-Use-generic-retpoline-by-default-on-.patch, bugfix/x86/bhb/0006-x86-speculation-Update-link-to-AMD-speculation-white.patch, bugfix/x86/bhb/0007-x86-speculation-Warn-about-Spectre-v2-LFENCE-mitigat.patch, bugfix/x86/bhb/0008-x86-speculation-Warn-about-eIBRS-LFENCE-Unprivileged.patch]
+5.10-bullseye-security: released (5.10.103-1) [bugfix/x86/bhb/0002-x86-speculation-Rename-RETPOLINE_AMD-to-RETPOLINE_LF.patch, bugfix/x86/bhb/0003-x86-speculation-Add-eIBRS-Retpoline-options.patch, bugfix/x86/bhb/0004-Documentation-hw-vuln-Update-spectre-doc.patch, bugfix/x86/bhb/0005-x86-speculation-Include-unprivileged-eBPF-status-in-.patch, bugfix/x86/bhb/0006-x86-speculation-Use-generic-retpoline-by-default-on-.patch, bugfix/x86/bhb/0007-x86-speculation-Update-link-to-AMD-speculation-white.patch, bugfix/x86/bhb/0008-x86-speculation-Warn-about-Spectre-v2-LFENCE-mitigat.patch, bugfix/x86/bhb/0009-x86-speculation-Warn-about-eIBRS-LFENCE-Unprivileged.patch]
+4.19-buster-security: released (4.19.232-1) [bugfix/x86/bhb/0004-x86-speculation-Rename-RETPOLINE_AMD-to-RETPOLINE_LF.patch, bugfix/x86/bhb/0005-x86-speculation-Add-eIBRS-Retpoline-options.patch, bugfix/x86/bhb/0006-Documentation-hw-vuln-Update-spectre-doc.patch, bugfix/x86/bhb/0007-x86-speculation-Include-unprivileged-eBPF-status-in-.patch, bugfix/x86/bhb/0008-x86-speculation-Use-generic-retpoline-by-default-on-.patch, bugfix/x86/bhb/0009-x86-speculation-Update-link-to-AMD-speculation-white.patch, bugfix/x86/bhb/0010-x86-speculation-Warn-about-Spectre-v2-LFENCE-mitigat.patch, bugfix/x86/bhb/0011-x86-speculation-Warn-about-eIBRS-LFENCE-Unprivileged.patch]
+4.9-stretch-security: released (4.9.303-1) [bugfix/x86/bhb/0004-x86-speculation-Rename-RETPOLINE_AMD-to-RETPOLINE_LF.patch, bugfix/x86/bhb/0005-x86-speculation-Add-eIBRS-Retpoline-options.patch, bugfix/x86/bhb/0006-Documentation-hw-vuln-Update-spectre-doc.patch, bugfix/x86/bhb/0007-x86-speculation-Include-unprivileged-eBPF-status-in-.patch, bugfix/x86/bhb/0008-x86-speculation-Use-generic-retpoline-by-default-on-.patch, bugfix/x86/bhb/0009-x86-speculation-Update-link-to-AMD-speculation-white.patch, bugfix/x86/bhb/0010-x86-speculation-Warn-about-Spectre-v2-LFENCE-mitigat.patch, bugfix/x86/bhb/0011-x86-speculation-Warn-about-eIBRS-LFENCE-Unprivileged.patch]
diff --git a/retired/CVE-2022-0002 b/retired/CVE-2022-0002
new file mode 100644
index 000000000..fb8fda601
--- /dev/null
+++ b/retired/CVE-2022-0002
@@ -0,0 +1,17 @@
+Description: Sharing of branch predictor selectors in same context on Intel CPUs
+References:
+ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00598.html
+ https://github.com/vusec/bhi-spectre-bhb
+Notes:
+ bwh> A.k.a. "Spectre BHB".  Details to be published in INTEL-SA-00598.
+ bwh> Unprivileged eBPF must also be disabled
+ bwh> (CONFIG_BPF_UNPRIV_DEFAULT_OFF=y).
+Bugs:
+upstream: released (5.17-rc8) [d45476d9832409371537013ebdd8dc1a7781f97a, 1e19da8522c81bf46b335f84137165741e0d82b7, 5ad3eb1132453b9795ce5fd4572b1c18b292cca9, 44a3918c8245ab10c6c9719dd12e7a8d291980d8, 244d00b5dd4755f8df892c86cab35fb2cfd4f14b, e9b6013a7ce31535b04b02ba99babefe8a8599fa, eafd987d4a82c7bb5aa12f0e3b4f8f3dea93e678, 0de05d056afdb00eca8c7bbb0c79a3438daf700c]
+5.10-upstream-stable: released (5.10.105) [f38774bb6e231d647d40ceeb8ddf9082eabde667, a6a119d647ad1f73067d3cffb43104df3f920bcc, 071e8b69d7808d96f388d7c5ed606e75fd3d518d, afc2d635b5e18e2b33116d8e121ee149882e33eb, 2fdf67a1d215574c31b1a716f80fa0fdccd401d7, e335384560d1e106b609e8febd7e0427075a8938, cc9e3e55bde71b2fac1494f503d5ffc560c7fb8d, d04937ae94903087279e4a016b7741cdee59d521]
+4.19-upstream-stable: released (4.19.234) [25440a8c77dd2fde6a8e9cfc0c616916febf408e, 3f66bedb96ff4c064a819e68499f79b38297ba26, 7af95ef3ec6248696300fce5c68f6c8c4f50e4a4, 995629e1d8e6751936c6e2b738f70b392b0461de, d3cb3a6927222268a10b2f12dfb8c9444f7cc39e, c034d344e733a3ac574dd09e39e911a50025c607, 8bfdba77595aee5c3e83ed1c9994c35d6d409605, 9711b12a3f4c0fc73dd257c1e467e6e42155a5f1]
+4.9-upstream-stable: released (4.9.306) [a771511caa8e31cb5cac4fa39165ebbca3e62795, d0ba50275860b456ff570edf3dcc2db5d2eb9eb8, f9238d33710d74ac3dd668abaa53b2274f8e6fe6, 6481835a9a5b74e349e5c20ae8a9cb10a2e907fa, b6a1aec08a84ccb331ce526c051df074150cf3c5, 0db1c4307aded2c5e618654f9341a249e0c1051f, 8edabefdc13294a9b15671937d165b948cf34d69, 0753760184745250e39018bb25ba77557390fe91]
+sid: released (5.16.12-1) [bugfix/x86/bhb/0001-x86-speculation-Rename-RETPOLINE_AMD-to-RETPOLINE_LF.patch, bugfix/x86/bhb/0002-x86-speculation-Add-eIBRS-Retpoline-options.patch, bugfix/x86/bhb/0003-Documentation-hw-vuln-Update-spectre-doc.patch, bugfix/x86/bhb/0004-x86-speculation-Include-unprivileged-eBPF-status-in-.patch, bugfix/x86/bhb/0005-x86-speculation-Use-generic-retpoline-by-default-on-.patch, bugfix/x86/bhb/0006-x86-speculation-Update-link-to-AMD-speculation-white.patch, bugfix/x86/bhb/0007-x86-speculation-Warn-about-Spectre-v2-LFENCE-mitigat.patch, bugfix/x86/bhb/0008-x86-speculation-Warn-about-eIBRS-LFENCE-Unprivileged.patch]
+5.10-bullseye-security: released (5.10.103-1) [bugfix/x86/bhb/0002-x86-speculation-Rename-RETPOLINE_AMD-to-RETPOLINE_LF.patch, bugfix/x86/bhb/0003-x86-speculation-Add-eIBRS-Retpoline-options.patch, bugfix/x86/bhb/0004-Documentation-hw-vuln-Update-spectre-doc.patch, bugfix/x86/bhb/0005-x86-speculation-Include-unprivileged-eBPF-status-in-.patch, bugfix/x86/bhb/0006-x86-speculation-Use-generic-retpoline-by-default-on-.patch, bugfix/x86/bhb/0007-x86-speculation-Update-link-to-AMD-speculation-white.patch, bugfix/x86/bhb/0008-x86-speculation-Warn-about-Spectre-v2-LFENCE-mitigat.patch, bugfix/x86/bhb/0009-x86-speculation-Warn-about-eIBRS-LFENCE-Unprivileged.patch]
+4.19-buster-security: released (4.19.232-1) [bugfix/x86/bhb/0004-x86-speculation-Rename-RETPOLINE_AMD-to-RETPOLINE_LF.patch, bugfix/x86/bhb/0005-x86-speculation-Add-eIBRS-Retpoline-options.patch, bugfix/x86/bhb/0006-Documentation-hw-vuln-Update-spectre-doc.patch, bugfix/x86/bhb/0007-x86-speculation-Include-unprivileged-eBPF-status-in-.patch, bugfix/x86/bhb/0008-x86-speculation-Use-generic-retpoline-by-default-on-.patch, bugfix/x86/bhb/0009-x86-speculation-Update-link-to-AMD-speculation-white.patch, bugfix/x86/bhb/0010-x86-speculation-Warn-about-Spectre-v2-LFENCE-mitigat.patch, bugfix/x86/bhb/0011-x86-speculation-Warn-about-eIBRS-LFENCE-Unprivileged.patch]
+4.9-stretch-security: released (4.9.303-1) [bugfix/x86/bhb/0004-x86-speculation-Rename-RETPOLINE_AMD-to-RETPOLINE_LF.patch, bugfix/x86/bhb/0005-x86-speculation-Add-eIBRS-Retpoline-options.patch, bugfix/x86/bhb/0006-Documentation-hw-vuln-Update-spectre-doc.patch, bugfix/x86/bhb/0007-x86-speculation-Include-unprivileged-eBPF-status-in-.patch, bugfix/x86/bhb/0008-x86-speculation-Use-generic-retpoline-by-default-on-.patch, bugfix/x86/bhb/0009-x86-speculation-Update-link-to-AMD-speculation-white.patch, bugfix/x86/bhb/0010-x86-speculation-Warn-about-Spectre-v2-LFENCE-mitigat.patch, bugfix/x86/bhb/0011-x86-speculation-Warn-about-eIBRS-LFENCE-Unprivileged.patch]
diff --git a/retired/CVE-2022-0322 b/retired/CVE-2022-0322
new file mode 100644
index 000000000..77a029418
--- /dev/null
+++ b/retired/CVE-2022-0322
@@ -0,0 +1,15 @@
+Description: sctp: account stream padding length for reconf chunk
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=2042822
+Notes:
+ carnil> Commit fixes cc16f00f6529 ("sctp: add support for generating
+ carnil> stream reconf ssn reset request chunk") in 4.11-rc1.
+Bugs:
+upstream: released (5.15-rc6) [a2d859e3fc97e79d907761550dbc03ff1b36479c]
+5.10-upstream-stable: released (5.10.75) [d84a69ac410f6228873d05d35120f6bdddab7fc3]
+4.19-upstream-stable: released (4.19.213) [c57fdeff69b152185fafabd37e6bfecfce51efda]
+4.9-upstream-stable: N/A "Vulnerable code not present"
+sid: released (5.14.16-1)
+5.10-bullseye-security: released (5.10.84-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: N/A "Vulnerable code not present"
diff --git a/retired/CVE-2022-0330 b/retired/CVE-2022-0330
new file mode 100644
index 000000000..806ddbbe8
--- /dev/null
+++ b/retired/CVE-2022-0330
@@ -0,0 +1,14 @@
+Description: drm/i915: Flush TLBs before releasing backing store
+References:
+ https://www.openwall.com/lists/oss-security/2022/01/25/12
+Notes:
+ carnil> Fixed in 5.16.4 for 5.16.y and 5.15.18 for 5.15.y.
+Bugs:
+upstream: released (5.17-rc2) [7938d61591d33394a21bdd7797a245b65428f44c]
+5.10-upstream-stable: released (5.10.95) [6a6acf927895c38bdd9f3cd76b8dbfc25ac03e88]
+4.19-upstream-stable: released (4.19.227) [b188780649081782e341e52223db47c49f172712]
+4.9-upstream-stable: released (4.9.299) [84f4ab5b47d955ad2bb30115d7841d3e8f0994f4]
+sid: released (5.15.15-2) [bugfix/x86/drm-i915-Flush-TLBs-before-releasing-backing-store.patch]
+5.10-bullseye-security: released (5.10.92-2) [bugfix/x86/drm-i915-Flush-TLBs-before-releasing-backing-store.patch]
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2022-0435 b/retired/CVE-2022-0435
new file mode 100644
index 000000000..5495d3cfd
--- /dev/null
+++ b/retired/CVE-2022-0435
@@ -0,0 +1,16 @@
+Description: tipc: improve size validations for received domain records
+References:
+ https://www.openwall.com/lists/oss-security/2022/02/10/1
+Notes:
+ carnil> Introduced with 35c55c9877f8 ("tipc: add neighbor monitoring
+ carnil> framework") in 4.8-rc1.
+ carnil> Fixed as well in 5.16.9 for 5.16.y.
+Bugs:
+upstream: released (5.17-rc4) [9aa422ad326634b76309e8ff342c246800621216]
+5.10-upstream-stable: released (5.10.100) [3c7e5943553594f68bbc070683db6bb6f6e9e78e]
+4.19-upstream-stable: released (4.19.229) [f1af11edd08dd8376f7a84487cbb0ea8203e3a1d]
+4.9-upstream-stable: released (4.9.301) [175db196e45d6f0e6047eccd09c8ba55465eb131]
+sid: released (5.16.10-1)
+5.10-bullseye-security: released (5.10.92-2) [bugfix/all/tipc-improve-size-validations-for-received-domain-re.patch]
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2022-0487 b/retired/CVE-2022-0487
new file mode 100644
index 000000000..5194a44d6
--- /dev/null
+++ b/retired/CVE-2022-0487
@@ -0,0 +1,16 @@
+Description: Use after free in moxart_remove
+References:
+ https://lore.kernel.org/all/20220114075934.302464-1-gregkh@linuxfoundation.org/
+ https://bugzilla.suse.com/show_bug.cgi?id=1194516
+ https://lore.kernel.org/all/20220127071638.4057899-1-gregkh@linuxfoundation.org/
+Notes:
+ carnil> CONFIG_MMC_MOXART is not set in Debian.
+Bugs:
+upstream: released (5.17-rc4) [bd2db32e7c3e35bd4d9b8bbff689434a50893546]
+5.10-upstream-stable: released (5.10.100) [be93028d306dac9f5b59ebebd9ec7abcfc69c156]
+4.19-upstream-stable: released (4.19.229) [9c25d5ff1856b91bd4365e813f566cb59aaa9552]
+4.9-upstream-stable: released (4.9.301) [f5dc193167591e88797262ec78515a0cbe79ff5f]
+sid: released (5.16.10-1)
+5.10-bullseye-security: released (5.10.103-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2022-0492 b/retired/CVE-2022-0492
new file mode 100644
index 000000000..bf08c11e4
--- /dev/null
+++ b/retired/CVE-2022-0492
@@ -0,0 +1,17 @@
+Description: cgroup-v1: Require capabilities to set release_agent
+References:
+ https://www.openwall.com/lists/oss-security/2022/02/04/1
+ https://twitter.com/chompie1337/status/1489366167600906240
+Notes:
+ carnil> Fixed as well in 5.15.20 for 5.15.y and 5.16.6 for 5.16.y.
+ carnil> Original fix will need a followup fix 467a726b754f ("cgroup-v1:
+ carnil> Correct privileges check in release_agent writes")
+Bugs:
+upstream: released (5.17-rc3) [24f6008564183aa120d07c03d9289519c2fe02af]
+5.10-upstream-stable: released (5.10.97) [1fc3444cda9a78c65b769e3fa93455e09ff7a0d3]
+4.19-upstream-stable: released (4.19.229) [939f8b491887c27585933ea7dc5ad4123de58ff3]
+4.9-upstream-stable: released (4.9.301) [7e33a0ad792f04bad920c7197bda8cc2ea08d304]
+sid: released (5.16.7-1)
+5.10-bullseye-security: released (5.10.103-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2022-0516 b/retired/CVE-2022-0516
new file mode 100644
index 000000000..516850982
--- /dev/null
+++ b/retired/CVE-2022-0516
@@ -0,0 +1,17 @@
+Description: KVM: s390: Return error on SIDA memop on normal guest
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=2050237
+ https://www.openwall.com/lists/oss-security/2022/02/11/2
+Notes:
+ carnil> Introduced by 19e122776886 (KVM: S390: protvirt: Introduce
+ carnil> instruction data area bounce buffer) in 5.7-rc1
+ carnil> Fixed as well in 5.16.9 for 5.16.y.
+Bugs:
+upstream: released (5.17-rc4) [2c212e1baedcd782b2535a3f86bc491977677c0e]
+5.10-upstream-stable: released (5.10.100) [b62267b8b06e9b8bb429ae8f962ee431e6535d60]
+4.19-upstream-stable: N/A "Vulnerable code not present"
+4.9-upstream-stable: N/A "Vulnerable code not present"
+sid: released (5.16.10-1)
+5.10-bullseye-security: released (5.10.92-2) [bugfix/s390x/KVM-s390-Return-error-on-SIDA-memop-on-normal-guest.patch]
+4.19-buster-security: N/A "Vulnerable code not present"
+4.9-stretch-security: N/A "Vulnerable code not present"
diff --git a/retired/CVE-2022-0617 b/retired/CVE-2022-0617
new file mode 100644
index 000000000..fb1e33161
--- /dev/null
+++ b/retired/CVE-2022-0617
@@ -0,0 +1,13 @@
+Description: Null pointer dereference can be triggered when write to an ICB inode
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=2053632
+Notes:
+Bugs:
+upstream: released (5.17-rc2) [7fc3b7c2981bbd1047916ade327beccb90994eee, ea8569194b43f0f01f0a84c689388542c7254a1f]
+5.10-upstream-stable: released (5.10.96) [de7cc8bcca90a9d77c915ee1d922dbd670c47d84, 0a3cfd258923aee63e7f144f134d42e205421848]
+4.19-upstream-stable: released (4.19.228) [a23a59717f9f01a49394488f515550f9382fbada, 3740d41e7363374182a42f1621e06d5029c837d5]
+4.9-upstream-stable: released (4.9.300) [f24454e42b5a58267928b0de53b0dd9b43e4dd46, de10d14ce3aacba73c835cb979a85ef9683c193f]
+sid: released (5.16.7-1)
+5.10-bullseye-security: released (5.10.103-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2022-0644 b/retired/CVE-2022-0644
new file mode 100644
index 000000000..90a15c088
--- /dev/null
+++ b/retired/CVE-2022-0644
@@ -0,0 +1,15 @@
+Description: vfs: check fd has read access in kernel_read_file_from_fd()
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=2026491
+ https://lore.kernel.org/all/20211007220110.600005-1-willy@infradead.org/
+ https://lkml.org/lkml/2021/10/6/254
+Notes:
+Bugs:
+upstream: released (5.15-rc7) [032146cda85566abcd1c4884d9d23e4e30a07e9a]
+5.10-upstream-stable: released (5.10.76) [b721500c979b71a9f02eb84ca384082722c62d4e]
+4.19-upstream-stable: released (4.19.214) [c1ba20965b59c2eeb54a845ca5cab4fc7bcf9735]
+4.9-upstream-stable: released (4.9.288) [52ed5a196b1146e0368e95edc23c38fa1b50825a]
+sid: released (5.14.16-1)
+5.10-bullseye-security: released (5.10.84-1)
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.290-1)
diff --git a/retired/CVE-2022-0847 b/retired/CVE-2022-0847
new file mode 100644
index 000000000..725813f9a
--- /dev/null
+++ b/retired/CVE-2022-0847
@@ -0,0 +1,17 @@
+Description: lib/iov_iter: initialize "flags" in new pipe_buffer
+References:
+ https://www.openwall.com/lists/oss-security/2022/03/07/1
+ https://dirtypipe.cm4all.com/
+Notes:
+ carnil> Only exploitable starting in 5.8-rc1 due to f6dd975583bd
+ carnil> ("pipe: merge anon_pipe_buf*_ops"). The commit which landed in
+ carnil> 5.17-rc6 was still backported to all stable series.
+Bugs:
+upstream: released (5.17-rc6) [9d2231c5d74e13b2a0546fee6737ee4446017903]
+5.10-upstream-stable: released (5.10.102) [b19ec7afa9297d862ed86443e0164643b97250ab]
+4.19-upstream-stable: released (4.19.231) [d46c42d8d2742742eddf9290e72df4b563f2e301]
+4.9-upstream-stable: released (4.9.303) [c460ef6e0596eb5ca844c45338c20f6023f1e43c]
+sid: released (5.16.11-1)
+5.10-bullseye-security: released (5.10.92-2) [bugfix/all/lib-iov_iter-initialize-flags-in-new-pipe_buffer.patch]
+4.19-buster-security: N/A "Vulnerable code introduced later"
+4.9-stretch-security: N/A "Vulnerable code introduced later"
diff --git a/retired/CVE-2022-0998 b/retired/CVE-2022-0998
new file mode 100644
index 000000000..7ef46ebbc
--- /dev/null
+++ b/retired/CVE-2022-0998
@@ -0,0 +1,19 @@
+Description: vdpa: clean up get_config_size ret value handling
+References:
+ https://lore.kernel.org/netdev/20220123001216.2460383-13-sashal@kernel.org/
+ https://bugzilla.redhat.com/show_bug.cgi?id=2057506
+Notes:
+ carnil> CONFIG_VHOST_VDPA not set in Debian.
+ bwh> The vhost vDPA backend was introduced in 5.7.
+ bwh> The change in 5.17 is described as only clean up, while the actual
+ bwh> fix was commit 3ed21c1451a1, already included in all vulnerable
+ bwh> branches.
+Bugs:
+upstream: released (5.16-rc6) [3ed21c1451a14d139e1ceb18f2fa70865ce3195a]
+5.10-upstream-stable: released (5.10.88) [51f6302f81d243772047a74ffeceddfb11c964d5]
+4.19-upstream-stable: N/A "Vulnerable code not present"
+4.9-upstream-stable: N/A "Vulnerable code not present"
+sid: released (5.15.15-1)
+5.10-bullseye-security: released (5.10.92-1)
+4.19-buster-security: N/A "Vulnerable code not present"
+4.9-stretch-security: N/A "Vulnerable code not present"
diff --git a/retired/CVE-2022-1043 b/retired/CVE-2022-1043
new file mode 100644
index 000000000..6adac9308
--- /dev/null
+++ b/retired/CVE-2022-1043
@@ -0,0 +1,16 @@
+Description: io_uring: fix xa_alloc_cycle() error return value check
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1997328
+ https://bugzilla.suse.com/show_bug.cgi?id=1197393
+Notes:
+ carnil> Introduced by 61cf93700fe6 ("io_uring: Convert personality_idr
+ carnil> to XArray") in 5.12-rc3 (got backported to 5.10.51).
+Bugs:
+upstream: released (5.14-rc7) [a30f895ad3239f45012e860d4f94c1a388b36d14]
+5.10-upstream-stable: released (5.10.61) [695ab28a7fa107d0350ab19eba8ec89fac45a95d]
+4.19-upstream-stable: N/A "Vulnerable code not present"
+4.9-upstream-stable: N/A "Vulnerable code not present"
+sid: released (5.14.6-1)
+5.10-bullseye-security: released (5.10.70-1)
+4.19-buster-security: N/A "Vulnerable code not present"
+4.9-stretch-security: N/A "Vulnerable code not present"
diff --git a/retired/CVE-2022-22942 b/retired/CVE-2022-22942
new file mode 100644
index 000000000..4012da6b6
--- /dev/null
+++ b/retired/CVE-2022-22942
@@ -0,0 +1,17 @@
+Description: drm/vmwgfx: Fix stale file descriptors on failed usercopy
+References:
+ https://www.openwall.com/lists/oss-security/2022/01/27/4
+ https://www.openwall.com/lists/oss-security/2022/02/03/1
+Notes:
+ carnil> Commit fixes c906965dee22 ("drm/vmwgfx: Add export fence to
+ carnil> file descriptor support") in 4.14-rc1.
+ carnil> Fixed in 5.16.4 for 5.16.y and 5.15.18 for 5.15.y.
+Bugs:
+upstream: released (5.17-rc2) [a0f90c8815706981c483a652a6aefca51a5e191c]
+5.10-upstream-stable: released (5.10.95) [ae2b20f27732fe92055d9e7b350abc5cdf3e2414]
+4.19-upstream-stable: released (4.19.227) [0008a0c78fc33a84e2212a7c04e6b21a36ca6f4d]
+4.9-upstream-stable: N/A "Vulnerable code not present"
+sid: released (5.15.15-2) [bugfix/all/drm-vmwgfx-Fix-stale-file-descriptors-on-failed-user.patch]
+5.10-bullseye-security: released (5.10.92-2) [bugfix/x86/drm-vmwgfx-Fix-stale-file-descriptors-on-failed-user.patch]
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: N/A "Vulnerable code not present"
diff --git a/retired/CVE-2022-24448 b/retired/CVE-2022-24448
new file mode 100644
index 000000000..3081a0fde
--- /dev/null
+++ b/retired/CVE-2022-24448
@@ -0,0 +1,13 @@
+Description NFSv4: Handle case where the lookup of a directory fails:
+References:
+ NFSv4: Handle case where the lookup of a directory fails
+Notes:
+Bugs:
+upstream: released (5.17-rc2) [ac795161c93699d600db16c1a8cc23a65a1eceaf]
+5.10-upstream-stable: released (5.10.96) [ce8c552b88ca25d775ecd0a0fbef4e0e03de9ed2]
+4.19-upstream-stable: released (4.19.228) [b00b4c6faad0f21e443fb1584f7a8ea222beb0de]
+4.9-upstream-stable: released (4.9.300) [8788981e120694a82a3672e062fe4ea99446634a]
+sid: released (5.16.7-1)
+5.10-bullseye-security: released (5.10.92-2) [bugfix/all/NFSv4-Handle-case-where-the-lookup-of-a-directory-fa.patch]
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2022-24959 b/retired/CVE-2022-24959
new file mode 100644
index 000000000..323dcedb3
--- /dev/null
+++ b/retired/CVE-2022-24959
@@ -0,0 +1,15 @@
+Description: yam: fix a memory leak in yam_siocdevprivate()
+References:
+Notes:
+ bwh> Introduced in 4.19 by commit 0781168e23a2 "yam: fix a missing-
+ bwh> check bug".  (That didn't actually fix any bug because the
+ bwh> driver never looks at the second copy of the cmd field.)
+Bugs:
+upstream: released (5.17-rc2) [29eb31542787e1019208a2e1047bb7c76c069536]
+5.10-upstream-stable: released (5.10.96) [729e54636b3ebefb77796702a5b1f1ed5586895e]
+4.19-upstream-stable: released (4.19.228) [4bd197ce18329e3725fe3af5bd27daa4256d3ac7]
+4.9-upstream-stable: N/A "Vulnerability introduced later"
+sid: released (5.16.7-1)
+5.10-bullseye-security: released (5.10.92-2) [bugfix/all/yam-fix-a-memory-leak-in-yam_siocdevprivate.patch]
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: N/A "Vulnerability introduced later"
diff --git a/retired/CVE-2022-25258 b/retired/CVE-2022-25258
new file mode 100644
index 000000000..c6034e00d
--- /dev/null
+++ b/retired/CVE-2022-25258
@@ -0,0 +1,13 @@
+Description: USB: gadget: validate interface OS descriptor requests
+References:
+ https://github.com/szymonh/d-os-descriptor
+Notes:
+Bugs:
+upstream: released (5.17-rc4) [75e5b4849b81e19e9efe1654b30d7f3151c33c2c]
+5.10-upstream-stable: released (5.10.101) [22ec1004728548598f4f5b4a079a7873409eacfd]
+4.19-upstream-stable: released (4.19.230) [e5eb8d19aee115d8fb354d1eff1b8df700467164]
+4.9-upstream-stable: released (4.9.302) [f3bcd744b0bc8dcc6cdb3ac5be20f54aecfb78a4]
+sid: released (5.16.10-1)
+5.10-bullseye-security: released (5.10.92-2) [bugfix/all/USB-gadget-validate-interface-OS-descriptor-requests.patch]
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2022-25375 b/retired/CVE-2022-25375
new file mode 100644
index 000000000..e9b29ca0e
--- /dev/null
+++ b/retired/CVE-2022-25375
@@ -0,0 +1,14 @@
+Description: usb: gadget: rndis: check size of RNDIS_MSG_SET command
+References:
+ https://github.com/szymonh/rndis-co
+ https://www.openwall.com/lists/oss-security/2022/02/21/1
+Notes:
+Bugs:
+upstream: released (5.17-rc4) [38ea1eac7d88072bbffb630e2b3db83ca649b826]
+5.10-upstream-stable: released (5.10.101) [fb4ff0f96de37c44236598e8b53fe43b1df36bf3]
+4.19-upstream-stable: released (4.19.230) [db9aaa3026298d652e98f777bc0f5756e2455dda]
+4.9-upstream-stable: released (4.9.302) [ff0a90739925734c91c7e39befe3f4378e0c1369]
+sid: released (5.16.10-1)
+5.10-bullseye-security: released (5.10.92-2) [bugfix/all/usb-gadget-rndis-check-size-of-RNDIS_MSG_SET-command.patch]
+4.19-buster-security: released (4.19.232-1)
+4.9-stretch-security: released (4.9.303-1)
diff --git a/retired/CVE-2022-25636 b/retired/CVE-2022-25636
new file mode 100644
index 000000000..775e8cf27
--- /dev/null
+++ b/retired/CVE-2022-25636
@@ -0,0 +1,18 @@
+Description: netfilter: nf_tables_offload: incorrect flow offload action array size
+References:
+ https://www.openwall.com/lists/oss-security/2022/02/21/2
+ https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git/commit/?id=b1a5983f56e371046dcf164f90bfaf704d2b89f6
+ https://github.com/Bonfee/CVE-2022-25636
+ https://nickgregory.me/linux/security/2022/03/12/cve-2022-25636/
+Notes:
+ carnil> Introduced in be2861dc36d7 ("netfilter: nft_{fwd,dup}_netdev:
+ carnil> add offload support") in 5.4-rc1.
+Bugs:
+upstream: released (5.17-rc6) [b1a5983f56e371046dcf164f90bfaf704d2b89f6]
+5.10-upstream-stable: released (5.10.103) [68f19845f580a1d3ac1ef40e95b0250804e046bb]
+4.19-upstream-stable: N/A "Vulnerable code not present"
+4.9-upstream-stable: N/A "Vulnerable code not present"
+sid: released (5.16.11-1) [bugfix/all/netfilter-nf_tables_offload-incorrect-flow-offload-a.patch]
+5.10-bullseye-security: released (5.10.103-1)
+4.19-buster-security: N/A "Vulnerable code not present"
+4.9-stretch-security: N/A "Vulnerable code not present"
diff --git a/retired/CVE-2022-26878 b/retired/CVE-2022-26878
new file mode 100644
index 000000000..373e0eaa7
--- /dev/null
+++ b/retired/CVE-2022-26878
@@ -0,0 +1,16 @@
+Description: Bluetooth: virtio_bt: fix memory leak in virtbt_rx_handle()
+References:
+ https://lore.kernel.org/linux-bluetooth/1A203F5E-FB5E-430C-BEA3-86B191D69D58@holtmann.org/
+Notes:
+ carnil> Commit fixes afd2daa26c7a ("Bluetooth: Add support for virtio
+ carnil> transport driver") in 5.13-rc1. Additionally BT_VIRTIO is not
+ carnil> set in Debian.
+Bugs:
+upstream: released (5.17-rc1) [ad7cb5f6fa5f7ea37208c98a9457dd98025a89ca]
+5.10-upstream-stable: N/A "Vulnerable code not present"
+4.19-upstream-stable: N/A "Vulnerable code not present"
+4.9-upstream-stable: N/A "Vulnerable code not present"
+sid: released (5.16.7-1)
+5.10-bullseye-security: N/A "Vulnerable code not present"
+4.19-buster-security: N/A "Vulnerable code not present"
+4.9-stretch-security: N/A "Vulnerable code not present"
author	Salvatore Bonaccorso <carnil@debian.org>	2022-03-25 20:49:54 +0100
committer	Salvatore Bonaccorso <carnil@debian.org>	2022-03-25 20:49:54 +0100
commit	799d3c586b6df4d41fccd5fc2ff796a087c26329 (patch)
tree	58859fea1691e870e5406a47cbb0c08c1e4582e6 /retired
parent	e3e90ffdadf6bb9b0e7ff277a38879d594f49edd (diff)