Hi Ben, On Tue, Aug 24, 2021 at 12:37 AM Ben Greear <greearb@xxxxxxxxxxxxxxx> wrote: > > On 8/23/21 7:08 AM, Pali Rohár wrote: > > Hello Sasha and Greg! > > > > Last week I sent request for backporting ath9k wifi fixes for security > > issue CVE-2020-3702 into stable LTS kernels because Qualcomm/maintainers > > did not it for more months... details are in email: > > https://lore.kernel.org/stable/20210818084859.vcs4vs3yd6zetmyt@pali/t/#u > > For one thing, almost everyone using these radios is using openwrt or > similar which has its own patch sets. For reference, according to Debian's own security tracker, only CVE-2020-26139 is patched on all but the most ancient tracked release: https://security-tracker.debian.org/tracker/CVE-2020-26139 (fixed in all but the most ancient release) https://security-tracker.debian.org/tracker/CVE-2020-3702 (all tracked kernels are vulnerable) https://security-tracker.debian.org/tracker/CVE-2020-26145 (only testing/unstable is fixed) https://security-tracker.debian.org/tracker/CVE-2020-26141 (only testing/unstable is fixed) Debian Buster has a 4.19 kernel and they only released Bullseye, it's successor, a couple of weeks ago, so there's probably a not-insignificant number of PCs out there still running kernels that old, and I understand that they'll be supporting Buster with security fixes for approximately another year: https://www.debian.org/security/faq#lifespan Thanks, -- Julian Calaby Email: julian.calaby@xxxxxxxxx Profile: http://www.google.com/profiles/julian.calaby/
