On Thu, Jun 02, 2016 at 10:49:09AM +0200, Moritz Muehlenhoff wrote: > Hi, > I checked for missing security fixes as of 4.4.12. Can you please > merge the following? (didn't check other stable kernels): > > CVE-2015-7833: [media] usbvision fix overflow of interfaces array > 588afcc1c0e45358159090d95bf7b246fb67565f > (second part of that was already merged in 4.4.8) Are you sure about this one? I thought there was discussions about if this was correct or not... > CVE-2016-2847: pipe: limit the per-user amount of pages allocated in pipes > 759c01142a5d0f364a462346168a56de28a80f52 > (the patch mentions CVE-2013-4312, but a different CVE ID was assigned later) Have you tested this? > CVE-2016-0758: KEYS: Fix ASN.1 indefinite length object parsing > 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa Is this a real issue? If so, can you cc: the patch authors and ask them if they want this in a stable kernel? Same goes for all of these patches that are not originally tagged with a stable mark, I need the acks from the maintainers. > > CVE-2016-4578: ALSA: timer: Fix leak in events via snd_timer_user_ccallback > ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt > 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6, e4ec8cc8039a7063e24204299b462bd1383184a5 > > CVE-2016-4569: ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS > cec8f96e49d9be372fdb0c3836dcf31ec71e457e There might have been a reason these were not tagged with stable marks, have you tested to see if they are relevant? thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html