[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2024062034-pork-limes-2c4c@gregkh>
Date: Thu, 20 Jun 2024 10:18:41 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Juergen Gross <jgross@...e.com>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org,
"security@...project.org" <security@...project.org>
Subject: Re: CVE-2021-47573: xen/blkfront: harden blkfront against event
channel storms
On Thu, Jun 20, 2024 at 09:53:02AM +0200, Juergen Gross wrote:
> On 19.06.24 16:54, Greg Kroah-Hartman wrote:
> > Description
> > ===========
> >
> > In the Linux kernel, the following vulnerability has been resolved:
> >
> > xen/blkfront: harden blkfront against event channel storms
> >
> > The Xen blkfront driver is still vulnerable for an attack via excessive
> > number of events sent by the backend. Fix that by using lateeoi event
> > channels.
> >
> > This is part of XSA-391
> >
> > The Linux kernel CVE team has assigned CVE-2021-47573 to this issue.
>
> When issuing XSA-391 the Xen security team already assigned CVE-2021-28711
> to this issue.
Cool, but why was that not documented in the CVE entry itself? I search
the existing CVE database when assigning CVEs for older things like this
(the import of the GSD database), and if there is no reference in the
CVE entry, then I have to assume that no CVE was assigned to the commit.
I'll go reject this one (and the other ones you pointed out), but can
you please update the CVE json entry with the information and ids of the
fixed commits so that everyone can correctly track these?
Also, the XSA-391 announcement doesn't say anything about them either,
is that intentional?
thanks,
greg k-h
Powered by blists - more mailing lists