lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4c82dd8b-aa66-4edb-afbd-cfff6afc39dc@leemhuis.info>
Date: Sun, 25 Feb 2024 10:52:23 +0100
From: Thorsten Leemhuis <linux@...mhuis.info>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: CVE-2024-26602: sched/membarrier: reduce the ability to hammer on
 sys_membarrier

On 25.02.24 10:47, Greg Kroah-Hartman wrote:
> On Sun, Feb 25, 2024 at 10:31:19AM +0100, Thorsten Leemhuis wrote:
>> On 24.02.24 15:57, Greg Kroah-Hartman wrote:
> [...]
>>> Affected and fixed versions
>>> ===========================
>>>
>>> 	Issue introduced in 4.14 with commit c5f58bd58f43 and fixed in 4.19.307 with commit 3cd139875e9a
>>> 	Issue introduced in 4.14 with commit c5f58bd58f43 and fixed in 5.4.269 with commit 2441a64070b8
>>> 	Issue introduced in 4.14 with commit c5f58bd58f43 and fixed in 5.10.210 with commit db896bbe4a9c
>>> 	Issue introduced in 4.14 with commit c5f58bd58f43 and fixed in 5.15.149 with commit 50fb4e17df31
>>> 	Issue introduced in 4.14 with commit c5f58bd58f43 and fixed in 6.1.79 with commit 24ec7504a08a
>>> 	Issue introduced in 4.14 with commit c5f58bd58f43 and fixed in 6.6.18 with commit b6a2a9cbb675
>>> 	Issue introduced in 4.14 with commit c5f58bd58f43 and fixed in 6.7.6 with commit c5b2063c65d0
>>>
>>> Please see [...]
>> Greg, JFYI, I noticed that this announcement did not refer to the fix in
>> mainline (944d5fe50f3f03 ("sched/membarrier: reduce the ability to
>> hammer on sys_membarrier")) while most of the others do that. I don't
>> care at all, just noticed this by chance and wanted to let you know in
>> case it's due to a bug in a script or something. I hope there is not a
>> good reason for that difference I just failed to spot... (if that's the
>> case: apologies in advance for the noise!).
> 
> The json entry will be updated when the commit shows up in a tagged
> release (i.e. the next -rc release), and then when the real release
> happens from Linus (i.e. 6.8), it will be updated then as well.
> 
> But for now, the mainline commit is not in any "real" release so we
> can't reference it here in the message or in the json record as per the
> rules from CVE.

Ohh, interesting and somewhat understandable.

Thx for your answer!

Ciao, Thorsten

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ