From 0a7662be45fee3ee642ec68e6daca93f17769881 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Thu, 10 Sep 2020 10:29:45 +0200 Subject: Update information on CVE-2020-14356 and add CVE-2020-25220 --- active/CVE-2020-14356 | 5 +++++ active/CVE-2020-25220 | 14 ++++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 active/CVE-2020-25220 diff --git a/active/CVE-2020-14356 b/active/CVE-2020-14356 index 412ae5ad..b6694327 100644 --- a/active/CVE-2020-14356 +++ b/active/CVE-2020-14356 @@ -4,6 +4,11 @@ References: https://lore.kernel.org/netdev/CAM_iQpUKQJrj8wE+Qa8NGR3P0L+5Uz=qo-O5+k_P60HzTde6aw%40mail.gmail.com/t/ https://bugzilla.redhat.com/show_bug.cgi?id=1868453 Notes: + carnil> Some care needs to be applied here to not make a released + carnil> version affected by CVE-2020-25220. Additionally to the fixing + carnil> commit refered there is need to apply "cgroup: add missing skcd- + carnil> >no_refcnt check in cgroup_sk_alloc()" which was included in + carnil> 4.9.233, 4.14.194 and 4.19.140. Bugs: 966846 upstream: released (5.8-rc5) [ad0f75e5f57ccbceec13274e1e242f2b5a6397ed] diff --git a/active/CVE-2020-25220 b/active/CVE-2020-25220 new file mode 100644 index 00000000..d6218be6 --- /dev/null +++ b/active/CVE-2020-25220 @@ -0,0 +1,14 @@ +Description: cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone() +References: + https://www.spinics.net/lists/stable/msg405099.html +Notes: + carnil> Exists because of a backporting issue in the v4.9.y, v4.14.y + carnil> and v4.19.y stable series when backporting fix for CVE-2020- + carnil> 14356. +Bugs: +upstream: N/A "Vulnerable code not present" +4.19-upstream-stable: released (4.19.140) [38de4308c5c3319ae9c815b6d6aa8d2b5804bace] +4.9-upstream-stable: released (4.9.233) [f3b1d647251a94a6968a35e3d685dc8b1b24c3ff] +sid: N/A "Vulnerable code not present" +4.19-buster-security: N/A "No released version contains broken backport" +4.9-stretch-security: N/A "No released version contains broken backport" -- cgit v1.2.3