| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 25 Feb 2024 10:52:23 +0100
From: Thorsten Leemhuis <linux@...mhuis.info>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: CVE-2024-26602: sched/membarrier: reduce the ability to hammer on
sys_membarrier
On 25.02.24 10:47, Greg Kroah-Hartman wrote:
> On Sun, Feb 25, 2024 at 10:31:19AM +0100, Thorsten Leemhuis wrote:
>> On 24.02.24 15:57, Greg Kroah-Hartman wrote:
> [...]
>>> Affected and fixed versions
>>> ===========================
>>>
>>> Issue introduced in 4.14 with commit c5f58bd58f43 and fixed in 4.19.307 with commit 3cd139875e9a
>>> Issue introduced in 4.14 with commit c5f58bd58f43 and fixed in 5.4.269 with commit 2441a64070b8
>>> Issue introduced in 4.14 with commit c5f58bd58f43 and fixed in 5.10.210 with commit db896bbe4a9c
>>> Issue introduced in 4.14 with commit c5f58bd58f43 and fixed in 5.15.149 with commit 50fb4e17df31
>>> Issue introduced in 4.14 with commit c5f58bd58f43 and fixed in 6.1.79 with commit 24ec7504a08a
>>> Issue introduced in 4.14 with commit c5f58bd58f43 and fixed in 6.6.18 with commit b6a2a9cbb675
>>> Issue introduced in 4.14 with commit c5f58bd58f43 and fixed in 6.7.6 with commit c5b2063c65d0
>>>
>>> Please see [...]
>> Greg, JFYI, I noticed that this announcement did not refer to the fix in
>> mainline (944d5fe50f3f03 ("sched/membarrier: reduce the ability to
>> hammer on sys_membarrier")) while most of the others do that. I don't
>> care at all, just noticed this by chance and wanted to let you know in
>> case it's due to a bug in a script or something. I hope there is not a
>> good reason for that difference I just failed to spot... (if that's the
>> case: apologies in advance for the noise!).
>
> The json entry will be updated when the commit shows up in a tagged
> release (i.e. the next -rc release), and then when the real release
> happens from Linus (i.e. 6.8), it will be updated then as well.
>
> But for now, the mainline commit is not in any "real" release so we
> can't reference it here in the message or in the json record as per the
> rules from CVE.
Ohh, interesting and somewhat understandable.
Thx for your answer!
Ciao, Thorsten
Powered by blists - more mailing lists