From c3b06f9bc74e8b3283af2e0b54415913b0ed2d3a Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Wed, 29 Jan 2020 06:06:25 +0100 Subject: Update notes on CVE-2020-8428 Reference full commit ID for the upstream commit for earier tracking while grepping trough the upstream git log. Not necessary but makes things a bit easier. The 30aba6656f61 ("namei: allow restricted O_CREAT of FIFOs and regular files") change was as well backported to several stable releases (4.4.166, 4.9.142 and 4.14.85) and is thus as issue as well present in older upstream releases (and Debian releases). --- active/CVE-2020-8428 | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/active/CVE-2020-8428 b/active/CVE-2020-8428 index 40a1c53c..2c98b17f 100644 --- a/active/CVE-2020-8428 +++ b/active/CVE-2020-8428 @@ -2,12 +2,15 @@ Description: user-triggerable read-after-free crash or 1-bit infoleak oracle in References: https://www.openwall.com/lists/oss-security/2020/01/28/2 Notes: + carnil> The issue go introduced with 30aba6656f61 ("namei: allow + carnil> restricted O_CREAT of FIFOs and regular files") in 4.19-rc1 + carnil> which got backported to 4.4.166, 4.9.142 and 4.14.85. Bugs: -upstream: released (5.5) [d0cb50185ae9] +upstream: released (5.5) [d0cb50185ae942b03c4327be322055d622dc79f6] 4.19-upstream-stable: needed -4.9-upstream-stable: N/A "Introduced in 4.19 with 30aba6656f61" +4.9-upstream-stable: needed 3.16-upstream-stable: N/A "Introduced in 4.19 with 30aba6656f61" sid: needed 4.19-buster-security: needed -4.9-stretch-security: N/A "Introduced in 4.19 with 30aba6656f61" +4.9-stretch-security: needed 3.16-jessie-security: N/A "Introduced in 4.19 with 30aba6656f61" -- cgit v1.2.3