lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2024062034-pork-limes-2c4c@gregkh>
Date: Thu, 20 Jun 2024 10:18:41 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Juergen Gross <jgross@...e.com>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org,
	"security@...project.org" <security@...project.org>
Subject: Re: CVE-2021-47573: xen/blkfront: harden blkfront against event
 channel storms

On Thu, Jun 20, 2024 at 09:53:02AM +0200, Juergen Gross wrote:
> On 19.06.24 16:54, Greg Kroah-Hartman wrote:
> > Description
> > ===========
> > 
> > In the Linux kernel, the following vulnerability has been resolved:
> > 
> > xen/blkfront: harden blkfront against event channel storms
> > 
> > The Xen blkfront driver is still vulnerable for an attack via excessive
> > number of events sent by the backend. Fix that by using lateeoi event
> > channels.
> > 
> > This is part of XSA-391
> > 
> > The Linux kernel CVE team has assigned CVE-2021-47573 to this issue.
> 
> When issuing XSA-391 the Xen security team already assigned CVE-2021-28711
> to this issue.

Cool, but why was that not documented in the CVE entry itself?  I search
the existing CVE database when assigning CVEs for older things like this
(the import of the GSD database), and if there is no reference in the
CVE entry, then I have to assume that no CVE was assigned to the commit.

I'll go reject this one (and the other ones you pointed out), but can
you please update the CVE json entry with the information and ids of the
fixed commits so that everyone can correctly track these?

Also, the XSA-391 announcement doesn't say anything about them either,
is that intentional?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ