APPLIED [OEM-5.17, OEM-6.0, OEM-6.1] Re: [Jammy,OEM-5.17,OEM-6.0,OEM-6.1,Lunar 0/3] CVE-2023-4015
Timo Aaltonen
tjaalton at ubuntu.com
Fri Aug 4 11:39:58 UTC 2023
Thadeu Lima de Souza Cascardo kirjoitti 3.8.2023 klo 21.30:
> [Impact]
> Unprivileged users may use nftables to cause a use-after-free, potentially
> leading to privilege escalation.
>
> [Backport]
> This requires CVE-2023-3610 mitigations to be applied on 5.15 and later.
>
> It also requires CVE-2023-3390 mitigations to be applied on OEM-5.17 and
> OEM-6.0.
>
> A pre-requisite commit was necessary and a follow-up for it were also
> applied.
>
> CVE-2023-3610 fix, pre-req and follow-up were already applied on oem-6.1,
> thus skipped there.
>
> [Potential regression]
> nftables users may find regressions.
>
> Pablo Neira Ayuso (3):
> netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound
> set/chain
> netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR
> netfilter: nf_tables: unbind non-anonymous set if rule construction
> fails
>
> include/net/netfilter/nf_tables.h | 2 ++
> net/netfilter/nf_tables_api.c | 47 ++++++++++++++++++++++++++-----
> net/netfilter/nft_immediate.c | 28 ++++++++++++------
> 3 files changed, 62 insertions(+), 15 deletions(-)
>
applied to oem-kernels, thanks
--
t
More information about the kernel-team
mailing list