| ingvar | pfsmorigo: Adding the full patch set means you may just upgrade to the next minor release. The only change would be the name of the package. | 06:10 |
|---|---|---|
| ingvar | But as it suits you | 06:11 |
| ingvar | You may also cherry pick, and even edit the patches to remove the unnecessary stuff, like doc and changes. But it sounds a bit silly to do all that work instead of using the packaged and quality checked next minor release from upstream. | 06:13 |
| dikonoor | Hi, I am using Ubuntu 20.04 and I am looking for information on by when Ubuntu plans to release security fixes for these CVEs 1) https://ubuntu.com/security/CVE-2022-1012 2) | 06:23 |
| dikonoor | https://ubuntu.com/security/CVE-2022-2327 3) | 06:23 |
| dikonoor | https://ubuntu.com/security/CVE-2022-36946 4) | 06:23 |
| dikonoor | https://ubuntu.com/security/CVE-2022-1280. These are all high. | 06:23 |
| ubottu | A memory leak problem was found in the TCP source port generation algorithm in net/ipv4/tcp.c due to the small table perturb size. This flaw may allow an attacker to information leak and may cause a denial of service problem. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1012> | 06:23 |
| ubottu | io_uring use work_flags to determine which identity need to grab from the calling process to make sure it is consistent with the calling process when executing IORING_OP. Some operations are missing some types, which can lead to incorrect reference counts which can then lead to a double free. We recommend upgrading the kernel past commit df3f3bb5059d20ef094d6b2f0256c4bf4127a859 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2327> | 06:23 |
| ubottu | nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36946> | 06:23 |
| ubottu | A use-after-free vulnerability was found in drm_lease_held in drivers/gpu/drm/drm_lease.c in the Linux kernel due to a race problem. This flaw allows a local user privilege attacker to cause a denial of service (DoS) or a kernel information leak. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1280> | 06:23 |
| amurray | dikonoor: these are all marked as Medium priority so this means they get included as part of the normal kernel team's SRU workflow - the kernel team does new kernel releases every 3 weeks and the next release is due on 29th August - so likely these should be included in that release | 06:28 |
| dikonoor | amurray: That's helpful. Thanks for your response. One question. I assume this means that the fixes will be available as part of the 5.4.0.* kernel version. | 06:31 |
| amurray | dikonoor: yes, as that is the kernel version that ships with Ubuntu 20.04 - also note that CVE 2022-2209 likely doesn't affect the 5.4 kernel but this still needs a more thorough investigation | 06:33 |
| ubottu | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This CVE has been rejected as it was incorrectly assigned. All references and descriptions in this candidate have been removed to prevent accidental usage. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2209> | 06:33 |
| dikonoor | amurray:Thanks for the confirmation | 06:34 |
| amurray | ugh sorry I meant 2022-2327 | 06:43 |
| === JanC is now known as Guest8332 | ||
| === JanC_ is now known as JanC | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!