Opened 15 months ago
Closed 15 months ago
New point version.
5.12.8 picks up the new fixes for 'Confused Deputy' privilege escalation attacks which go back to linux-2.6. See e.g. https://www.phoronix.com/scan.php?page=news_item&px=Linux-Confused-Deputy-2.6.12
According to lwn.net https://lwn.net/ml/oss-security/CAFzhf4r3C=hqrH_yXVQExeQV5iqrdim7kp-NBDTm6FmSCicbeQ@mail.gmail.com/ this is only if BPF has been enabled, however it seems that might now be a default - on at least one of my machines I see that is enabled, although I have not deliberately done so (and I've regarded it as trouble after the initial spectre reports which mentioned it re AMD) : looks as if CONFIG_NET selects it, so everyone who is online will have it enabled.
Also fixed in 5.10.41 and 5.4.123 if anyone is using those older series, all other 5.x kernels are no-longer maintained.
Fixed at @82366ae3f070c3d8a9b4f799e90b5f73625be19f
Security Advisory SA 10.1-054 created.
Powered by Trac 1.5.3.dev0
By Edgewall Software
© 1998-2022 Gerard Beekmans.