diff options
| author | Salvatore Bonaccorso <carnil@debian.org> | 2019-09-07 10:41:32 +0200 |
|---|---|---|
| committer | Salvatore Bonaccorso <carnil@debian.org> | 2019-09-07 10:41:32 +0200 |
| commit | ac6f2b169e6ca1c3b4da17b2f170ac8d6a1120c3 (patch) | |
| tree | c7852d2053f3eed4a46bd751267294fe713a0a19 /retired | |
| parent | 8f50cd785ed10c2531166ebdde4cdd4d1c434213 (diff) | |
Retire several CVEs
Diffstat (limited to 'retired')
| -rw-r--r-- | retired/CVE-2019-15090 | 14 | ||||
| -rw-r--r-- | retired/CVE-2019-15925 | 15 | ||||
| -rw-r--r-- | retired/CVE-2019-3900 | 13 | ||||
| -rw-r--r-- | retired/CVE-2019-ctnl-addr-leak | 13 | ||||
| -rw-r--r-- | retired/XSA-300 | 18 |
5 files changed, 73 insertions, 0 deletions
diff --git a/retired/CVE-2019-15090 b/retired/CVE-2019-15090 new file mode 100644 index 000000000..8ef368b81 --- /dev/null +++ b/retired/CVE-2019-15090 @@ -0,0 +1,14 @@ +Description: scsi: qedi: remove memset/memcpy to nfunc and use func instead +References: +Notes: + carnil> Issue introduced in ace7f46ba5fd ("scsi: qedi: Add QLogic + carnil> FastLinQ offload iSCSI driver framework.") in 4.10-rc1. +Bugs: +upstream: released (5.2-rc2) [c09581a52765a85f19fc35340127396d5e3379cc] +4.19-upstream-stable: released (4.19.53) [f3a7a1137ffc69e1f460eb9e1b5f4fd09d3c4ea9] +4.9-upstream-stable: N/A "Vulnerable code introduced later" +3.16-upstream-stable: N/A "Vulnerable code introduced later" +sid: released (5.2.6-1) +4.19-buster-security: released (4.19.67-1) +4.9-stretch-security: N/A "Vulnerable code introduced later" +3.16-jessie-security: N/A "Vulnerable code introduced later" diff --git a/retired/CVE-2019-15925 b/retired/CVE-2019-15925 new file mode 100644 index 000000000..3671d8e09 --- /dev/null +++ b/retired/CVE-2019-15925 @@ -0,0 +1,15 @@ +Description: net: hns3: add some error checking in hclge_tm module +References: +Notes: + carnil> Needs check when introduced but likely 848440544b41 ("net: + carnil> hns3: Add support of TX Scheduler & Shaper to HNS3 driver") in + carnil> 4.14-rc1. +Bugs: +upstream: released (5.3-rc1) [04f25edb48c441fc278ecc154c270f16966cbb90] +4.19-upstream-stable: released (4.19.61) [26d86b29e806769adba91bd6fc1f077b94e9b64b] +4.9-upstream-stable: N/A "Vulnerable code introduced later" +3.16-upstream-stable: N/A "Vulnerable code introduced later" +sid: released (5.2.6-1) +4.19-buster-security: released (4.19.67-1) +4.9-stretch-security: N/A "Vulnerable code introduced later" +3.16-jessie-security: N/A "Vulnerable code introduced later" diff --git a/retired/CVE-2019-3900 b/retired/CVE-2019-3900 new file mode 100644 index 000000000..38c3210f9 --- /dev/null +++ b/retired/CVE-2019-3900 @@ -0,0 +1,13 @@ +Description: vhost_net: fix possible infinite loop +References: + https://lore.kernel.org/lkml/1558067392-11740-1-git-send-email-jasowang@redhat.com/ +Notes: +Bugs: +upstream: released (5.2-rc4) [e2412c07f8f3040593dfb88207865a3cd58680c0, e79b431fb901ba1106670bcc80b9b617b25def7d, c1ea02f15ab5efb3e93fc3144d895410bf79fcf2] +4.19-upstream-stable: released (4.19.64) [3af3b843aee41ed22343b011a4cf3812a80d2f38, 239910101c4ebf91a00e6f4a81ac3144b121f0c4, 02cdc166128cf9cb2be4786b997eebbc0b976bfa] +4.9-upstream-stable: released (4.9.190) [66c8d9d53e657d5068d9f234bc4ec1d703107a48, 4b586288578a3a2aa4efb969feed86f2d760f082, 02b40edda9fd2e42abae40f5dd85122f13dbe7b8] +3.16-upstream-stable: released (3.16.72) [f3a64b1071c414e59233b769110872a026f8d254, 6c74f68cf3ca570f39ff8a9e3b0ae357839c4560] +sid: released (5.2.6-1) +4.19-buster-security: released (4.19.67-1) +4.9-stretch-security: released (4.9.168-1+deb9u5) [bugfix/all/vhost-introduce-vhost_exceeds_weight.patch, bugfix/all/vhost_net-fix-possible-infinite-loop.patch, bugfix/all/vhost-scsi-add-weight-support.patch] +3.16-jessie-security: released (3.16.72-1) diff --git a/retired/CVE-2019-ctnl-addr-leak b/retired/CVE-2019-ctnl-addr-leak new file mode 100644 index 000000000..cb73cd089 --- /dev/null +++ b/retired/CVE-2019-ctnl-addr-leak @@ -0,0 +1,13 @@ +Description: ctnetlink uses kernel addresses as user-visible IDs +References: +Notes: + bwh> Fix depends on adding siphash +Bugs: +upstream: released (5.1-rc7) [3c79107631db1f7fd32cf3f7368e4672004a3010] +4.19-upstream-stable: released (4.19.44) [7b115755fb9d3aff0ddcd18a5c4d83381362acce] +4.9-upstream-stable: released (4.9.190) [1922476beeeea46bebbe577215078736dd4231dc] +3.16-upstream-stable: released (3.16.72) [3d8b3d0384f709126beef6b917b7e97c23f18e74] +sid: released (5.2.6-1) +4.19-buster-security: released (4.19.67-1) +4.9-stretch-security: released (4.9.168-1+deb9u5) [bugfix/all/netfilter-ctnetlink-don-t-use-conntrack-expect-objec.patch] +3.16-jessie-security: released (3.16.72-1) diff --git a/retired/XSA-300 b/retired/XSA-300 new file mode 100644 index 000000000..05fbd0c1c --- /dev/null +++ b/retired/XSA-300 @@ -0,0 +1,18 @@ +Description: No grant table and foreign mapping limits +References: + https://xenbits.xen.org/xsa/advisory-300.html +Notes: + carnil> Is a1078e821b60 ("xen: let alloc_xenballooned_pages() fail if + carnil> not enough memory free") enough or is more needed? + benh> The advisory says another patch will be needed for domU. + benh> For 3.16 we need d02bd27bd33d "mm/page_alloc.c: calculate + benh> 'available' memory in a separate function" first. +Bugs: +upstream: released (5.3-rc1) [a1078e821b605813b63bf6bca414a85f804d5c66] +4.19-upstream-stable: released (4.19.61) [e73db096691e5f2720049502a3794a2a0c6d1b1f] +4.9-upstream-stable: released (4.9.187) [259b0fc2caddc21a6b561b595747a8091102f7ff] +3.16-upstream-stable: released (3.16.72) [2ed58e578b03269b23eb7119fb38478725ae6470] +sid: released (5.2.6-1) +4.19-buster-security: released (4.19.67-1) +4.9-stretch-security: released (4.9.168-1+deb9u5) [bugfix/all/xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch] +3.16-jessie-security: released (3.16.72-1) |