On Tue, 2017-04-25 at 19:39 +0200, Greg Kroah-Hartman wrote: > On Tue, Apr 25, 2017 at 06:07:38PM +0100, Ben Hutchings wrote: > > Greg, > > > > I've found a number of CVEs fixed in upstream a while ago but still > > affecting stable branches. The following commits should fix most of > > those for 4.4: > > > > d29216842a85c7970c536108e093963f02714498 (CVE-2016-6213) [backported] > > 8dfbcc4351a0b6d2f2d77f367552f48ffefafe18 (CVE-2016-7913) > > c58d6c93680f28ac58984af61d0a7ebf4319c241 (CVE-2016-7917) > > 3de81b758853f0b29c61e246679d20b513c4cfec (CVE-2016-8632) [backported] > > 05692d7005a364add85c6e25a6c4447ce08f913a (CVE-2016-9083, CVE-2016-9084) > > 9590232bb4f4cc824f3425a6e1349afbe6d6d2b7 (CVE-2016-9120) > > 43a6684519ab0a6c52024b5e25322476cabad893 (CVE-2017-2671) > > 321027c1fe77f892f4ea07846aeae08cefbbb290 (CVE-2017-6001) [backported] > > 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b (CVE-2017-7308) > > bcc5364bdcfe131e6379363f089e7b4108d35b70 (CVE-2017-7308) > > > > I've attached patches for those that needed work to backport. > > > > CVE-2017-7308 isn't yet fixed in 4.9 or 4.10, but David Miller has the > > patches queued up. > > > > I should be able to provide you with a (much longer) list for 3.18 > > later. > > Very nice, thank you so much for this! I'll queue them up for the next > 4.4 release after this one gets released in a few days. > > How did you happen to find these? Where am I not looking that I should > have seen these? For 4.4, I hope I'm paying attention :) I wrote some scripts to pull data from distribution security trackers and combine that with the stable commit logs. I'll let you know when I'm able to publish this stuff. Ben. -- Ben Hutchings Software Developer, Codethink Ltd.