Opened 8 weeks ago

Closed 8 weeks ago

#4863 closed enhancement (fixed)

linux-5.12.8

Reported by: Bruce Dubbs Owned by: ken@…
Priority: high Milestone: 11.0
Component: Book Version: git
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (4)

comment:1 by ken@…, 8 weeks ago

Priority: normalhigh

5.12.8 picks up the new fixes for 'Confused Deputy' privilege escalation attacks which go back to linux-2.6. See e.g. https://www.phoronix.com/scan.php?page=news_item&px=Linux-Confused-Deputy-2.6.12

comment:2 by ken@…, 8 weeks ago

According to lwn.net https://lwn.net/ml/oss-security/CAFzhf4r3C=hqrH_yXVQExeQV5iqrdim7kp-NBDTm6FmSCicbeQ@mail.gmail.com/ this is only if BPF has been enabled, however it seems that might now be a default - on at least one of my machines I see that is enabled, although I have not deliberately done so (and I've regarded it as trouble after the initial spectre reports which mentioned it re AMD) : looks as if CONFIG_NET selects it, so everyone who is online will have it enabled.

Also fixed in 5.10.41 and 5.4.123 if anyone is using those older series, all other 5.x kernels are no-longer maintained.

comment:3 by ken@…, 8 weeks ago

Owner: changed from lfs-book to ken@…
Status: newassigned

comment:4 by ken@…, 8 weeks ago

Resolution: fixed
Status: assignedclosed

Fixed at @82366ae3f070c3d8a9b4f799e90b5f73625be19f

Security Advisory SA 10.1-054 created.

Note: See TracTickets for help on using tickets.