On 05/19/2018 12:44 AM, Greg Kroah-Hartman wrote:
On Fri, May 18, 2018 at 09:00:07AM -0700, Guenter Roeck wrote:
On Fri, May 18, 2018 at 04:52:07PM +0200, Greg Kroah-Hartman wrote:
On Fri, May 18, 2018 at 06:47:46AM -0700, Guenter Roeck wrote:
Hi Greg,
please apply commit dd83c161fbc ("kernel/exit.c: avoid undefined behaviour when calling wait4()")
to v4.9.y and older to fix CVE-2018-10087.
Odd no one asked for that one to be backported before :(
Not entirely surprising. The patch is from July 2017, it wasn't marked
for stable, and the CVE has been created only recently (04/13/2018).
CVE severity and the reference to the upstream commit were added
yesterday, which caused our CVE tracker to barf at me.
Who applied for the CVE number? They should have been the ones to
notify people of the issue, so who should I go kick about this? :)
No idea, and no idea how to find out.
Guenter
