| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022607-CVE-2022-49577-da62@gregkh> Date: Wed, 26 Feb 2025 03:22:20 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2022-49577: udp: Fix a data-race around sysctl_udp_l3mdev_accept. Description =========== In the Linux kernel, the following vulnerability has been resolved: udp: Fix a data-race around sysctl_udp_l3mdev_accept. While reading sysctl_udp_l3mdev_accept, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. The Linux kernel CVE team has assigned CVE-2022-49577 to this issue. Affected and fixed versions =========================== Issue introduced in 4.11 with commit 63a6fff353d01da5a22b72670c434bf12fa0e3b8 and fixed in 5.4.208 with commit f39b03bd727a8fea62e82f10fe2e0d753b9930ff Issue introduced in 4.11 with commit 63a6fff353d01da5a22b72670c434bf12fa0e3b8 and fixed in 5.10.134 with commit fcaef69c79ec222e55643e666b80b221e70fa6a8 Issue introduced in 4.11 with commit 63a6fff353d01da5a22b72670c434bf12fa0e3b8 and fixed in 5.15.58 with commit 3f2ac2d6511bb0652abf4d7388d65bb9ff1c641c Issue introduced in 4.11 with commit 63a6fff353d01da5a22b72670c434bf12fa0e3b8 and fixed in 5.18.15 with commit cb0d28934ca10f99c47e2c6f451405d6c954fe48 Issue introduced in 4.11 with commit 63a6fff353d01da5a22b72670c434bf12fa0e3b8 and fixed in 5.19 with commit 3d72bb4188c708bb16758c60822fc4dda7a95174 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-49577 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: include/net/udp.h Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/f39b03bd727a8fea62e82f10fe2e0d753b9930ff https://git.kernel.org/stable/c/fcaef69c79ec222e55643e666b80b221e70fa6a8 https://git.kernel.org/stable/c/3f2ac2d6511bb0652abf4d7388d65bb9ff1c641c https://git.kernel.org/stable/c/cb0d28934ca10f99c47e2c6f451405d6c954fe48 https://git.kernel.org/stable/c/3d72bb4188c708bb16758c60822fc4dda7a95174
Powered by blists - more mailing lists