[06:10] <ingvar> pfsmorigo: Adding the full patch set means you may just upgrade to the next minor release. The only change would be the name of the package.
[06:11] <ingvar> But as it suits you
[06:13] <ingvar> You may also cherry pick, and even edit the patches to remove the unnecessary stuff, like doc and changes. But it sounds a bit silly to do all that work instead of using the packaged and quality checked next minor release from upstream.
[06:23] <dikonoor> Hi, I am using Ubuntu 20.04 and I am looking for information on by when Ubuntu plans to release security fixes for these CVEs 1) https://ubuntu.com/security/CVE-2022-1012 2) 
[06:23] <dikonoor> https://ubuntu.com/security/CVE-2022-2327 3) 
[06:23] <dikonoor> https://ubuntu.com/security/CVE-2022-36946 4) 
[06:23] <dikonoor> https://ubuntu.com/security/CVE-2022-1280. These are all high.
[06:23] <ubottu> A memory leak problem was found in the TCP source port generation algorithm in net/ipv4/tcp.c due to the small table perturb size. This flaw may allow an attacker to information leak and may cause a denial of service problem. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1012>
[06:23] <ubottu> io_uring use work_flags to determine which identity need to grab from the calling process to make sure it is consistent with the calling process when executing IORING_OP. Some operations are missing some types, which can lead to incorrect reference counts which can then lead to a double free. We recommend upgrading the kernel past commit df3f3bb5059d20ef094d6b2f0256c4bf4127a859 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2327>
[06:23] <ubottu> nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36946>
[06:23] <ubottu> A use-after-free vulnerability was found in drm_lease_held in drivers/gpu/drm/drm_lease.c in the Linux kernel due to a race problem. This flaw allows a local user privilege attacker to cause a denial of service (DoS) or a kernel information leak. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1280>
[06:28] <amurray> dikonoor: these are all marked as Medium priority so this means they get included as part of the normal kernel team's SRU workflow - the kernel team does new kernel releases every 3 weeks and the next release is due on 29th August - so likely these should be included in that release
[06:31] <dikonoor> amurray: That's helpful. Thanks for your response. One question. I assume this means that the fixes will be available as part of the 5.4.0.* kernel version.
[06:33] <amurray> dikonoor: yes, as that is the kernel version that ships with Ubuntu 20.04 - also note that CVE 2022-2209 likely doesn't affect the 5.4 kernel but this still needs a more thorough investigation
[06:33] <ubottu> ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This CVE has been rejected as it was incorrectly assigned. All references and descriptions in this candidate have been removed to prevent accidental usage. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2209>
[06:34] <dikonoor> amurray:Thanks for the confirmation
[06:43] <amurray> ugh sorry I meant 2022-2327
=== JanC is now known as Guest8332
=== JanC_ is now known as JanC