| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024062034-pork-limes-2c4c@gregkh> Date: Thu, 20 Jun 2024 10:18:41 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: Juergen Gross <jgross@...e.com> Cc: cve@...nel.org, linux-kernel@...r.kernel.org, "security@...project.org" <security@...project.org> Subject: Re: CVE-2021-47573: xen/blkfront: harden blkfront against event channel storms On Thu, Jun 20, 2024 at 09:53:02AM +0200, Juergen Gross wrote: > On 19.06.24 16:54, Greg Kroah-Hartman wrote: > > Description > > =========== > > > > In the Linux kernel, the following vulnerability has been resolved: > > > > xen/blkfront: harden blkfront against event channel storms > > > > The Xen blkfront driver is still vulnerable for an attack via excessive > > number of events sent by the backend. Fix that by using lateeoi event > > channels. > > > > This is part of XSA-391 > > > > The Linux kernel CVE team has assigned CVE-2021-47573 to this issue. > > When issuing XSA-391 the Xen security team already assigned CVE-2021-28711 > to this issue. Cool, but why was that not documented in the CVE entry itself? I search the existing CVE database when assigning CVEs for older things like this (the import of the GSD database), and if there is no reference in the CVE entry, then I have to assume that no CVE was assigned to the commit. I'll go reject this one (and the other ones you pointed out), but can you please update the CVE json entry with the information and ids of the fixed commits so that everyone can correctly track these? Also, the XSA-391 announcement doesn't say anything about them either, is that intentional? thanks, greg k-h
Powered by blists - more mailing lists