| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025091857-CVE-2023-53431-7eac@gregkh> Date: Thu, 18 Sep 2025 18:04:22 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2023-53431: scsi: ses: Don't attach if enclosure has no components From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: scsi: ses: Don't attach if enclosure has no components An enclosure with no components can't usefully be operated by the driver (since effectively it has nothing to manage), so report the problem and don't attach. Not attaching also fixes an oops which could occur if the driver tries to manage a zero component enclosure. [mkp: Switched to KERN_WARNING since this scenario is common] The Linux kernel CVE team has assigned CVE-2023-53431 to this issue. Affected and fixed versions =========================== Fixed in 4.14.308 with commit 4863fefc8a8cc8e8f6c7635b12d9dffaa0a12d86 Fixed in 4.19.276 with commit feefd5232ecb788f0666f75893a7a86faec8bbcc Fixed in 5.4.235 with commit 6069e04a922a0488bcf4f1017d38d18afda8194c Fixed in 5.10.173 with commit d68937dfc73ee7f61cf3424fa3225be93cacaa00 Fixed in 5.15.99 with commit 6fce2307650a190e343a84537c278d499fa37c26 Fixed in 6.1.16 with commit 5ca5470b33e5221dd3e5be81108697c22dd38b56 Fixed in 6.2.3 with commit f182ad02024d3f45374a9e0c9d76f28b776d762d Fixed in 6.3 with commit 3fe97ff3d94934649abb0652028dd7296170c8d0 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-53431 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/scsi/ses.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/4863fefc8a8cc8e8f6c7635b12d9dffaa0a12d86 https://git.kernel.org/stable/c/feefd5232ecb788f0666f75893a7a86faec8bbcc https://git.kernel.org/stable/c/6069e04a922a0488bcf4f1017d38d18afda8194c https://git.kernel.org/stable/c/d68937dfc73ee7f61cf3424fa3225be93cacaa00 https://git.kernel.org/stable/c/6fce2307650a190e343a84537c278d499fa37c26 https://git.kernel.org/stable/c/5ca5470b33e5221dd3e5be81108697c22dd38b56 https://git.kernel.org/stable/c/f182ad02024d3f45374a9e0c9d76f28b776d762d https://git.kernel.org/stable/c/3fe97ff3d94934649abb0652028dd7296170c8d0
Powered by blists - more mailing lists