| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024123009-wobbly-albatross-d8e3@gregkh>
Date: Mon, 30 Dec 2024 15:19:53 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org,
Vegard Nossum <vegard.nossum@...cle.com>
Subject: Re: CVE-2024-26929: scsi: qla2xxx: Fix double free of fcport
On Sun, Dec 29, 2024 at 06:17:14PM +0530, Harshit Mogalapalli wrote:
> Hi Greg,
>
> On 29/12/24 12:54, Greg Kroah-Hartman wrote:
> ...
> > >
> > >
> > > I think the broken commit/vuln commit is: 4895009c4bb7 ("scsi: qla2xxx:
> > > Prevent command send on chip reset") and this is only present in stable
> > > kernels newer than (>=) 5.15.y.
> > >
> > > Is it worth putting the vuln commit information if we find out what the
> > > broken/vuln commit is while trying to backport it to older stable kernels ?
> >
> > Yes it is, our tools provide for this, see:
> > https://git.kernel.org/pub/scm/linux/security/vulns.git/tree/cve/schema#n69
> > for how to do it (i.e. give us a git id and we can add a .vulnerable
> > file so the tools pick it up properly, or send us a patch for that!)
> >
> > Do you want to send a patch for this, or do you need us to?
> >
>
> I will send a patch, thanks for the guidance.
Great! Also feel free to send patches for any other cve that you notice
needs a proper ".vulnerable" entry added for it. I am sure there are
loads of them missing.
thanks,
greg k-h
Powered by blists - more mailing lists