On 11/06/2024 10:41, Pablo Neira Ayuso wrote:
On Tue, Jun 11, 2024 at 11:28:29AM +0530, Harshit Mogalapalli wrote:
On 11/06/24 03:29, Pablo Neira Ayuso wrote:
On Mon, Jun 10, 2024 at 11:51:53PM +0530, Harshit Mogalapalli wrote:
Hello netfilter developers,
Do we have any tests that we could run before sending a stable backport in
netfilter/ subsystem to stable@vger ?
Let us say we have a CVE fix which is only backported till 5.10.y but it is
needed is 5.4.y and 4.19.y, the backport might need to easy to make, just
fixing some conflicts due to contextual changes or missing commits.
Which one in particular is missing?
I was planning to backport the fix for CVE-2023-52628 onto 5.4.y and 4.19.y
trees.
lts-5.10 : v5.10.198 - a7d86a77c33b netfilter: nftables:
exthdr: fix 4-byte stack OOB write
lts-5.15 : v5.15.132 - 1ad7b189cc14 netfilter: nftables:
exthdr: fix 4-byte stack OOB write
lts-6.1 : v6.1.54 - d9ebfc0f2137 netfilter: nftables:
exthdr: fix 4-byte stack OOB write
mainline : v6.6-rc1 - fd94d9dadee5 netfilter: nftables:
exthdr: fix 4-byte stack OOB write
This is information is incorrect.
This fix is already in 6.1 -stable.
commit d9ebfc0f21377690837ebbd119e679243e0099cc
Author: Florian Westphal <fw@xxxxxxxxx>
Date: Tue Sep 5 23:13:56 2023 +0200
netfilter: nftables: exthdr: fix 4-byte stack OOB write
[ Upstream commit fd94d9dadee58e09b49075240fe83423eb1dcd36 ]
Right, it's in 6.1, 5.10, and 5.5 -- that's what the list above shows.
It still seems to be missing from 5.4 and 4.19.
Vegard
