Control: fixed -1 4.19.37-1
Control: found -1 4.9.168-2
Control: found -1 3.16.64-2
Control: severity -1 important

On Tue, 2019-05-14 at 14:37 -0400, Jeff Cliff wrote:
> Package: src:linux
> Version: 4.19.28-2
> Severity: grave
> Tags: security
> Justification: user security hole
> Dear Maintainer,
> An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the
> Linux kernel before 5.0.8. 
> There is a race condition leading to a use-after-free, related to net
> namespace cleanup.
> the security-tracker is tracking this issue but there does not seem
> to be a bug report for it
> Fixed by: 
> currently affects: buster/testing, stable
> currently does not affect: sid

This was already mitigated in older suites, in that we disable auto-
loading of the rds module.  This is therefore only exploitable on
systems that actually use rds.  For that reason, I'm downgrading this
to "important".


Ben Hutchings
I haven't lost my mind; it's backed up on tape somewhere.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to