Source: linux
Version: 6.1.128-1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
I believe CVE-2024-45001 (RX buf alloc_size alignment and atomic op
panic) is miscategorized as not impacting bookworm. The issue is with
the net/ethernet/microsoft/mana driver and was introduced in linux 6.10, which is likely why the security-tracker contains the note "Vulnerable
code not present" for bookworm. However, bookworm contains a backported version of this driver from 6.10 in debian/patches/features/all/ethernet-microsoft. [1] [2]
The upstream fix applies on top of our patched 6.1 kernel with an
offset. [3]
I didn't propose a fix to the security-tracker data because I don't know
the file format well enough.
I can prepare a merge request to the kernel package if that would help.
Source: linux
Version: 6.1.128-1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
I believe CVE-2024-45001 (RX buf alloc_size alignment and atomic op panic) is miscategorized as not impacting bookworm. The issue is with the net/ethernet/microsoft/mana driver and was introduced in linux 6.10, which is likely why the security-tracker contains the note "Vulnerable code not present" for bookworm. However, bookworm contains a backported version of this driver from 6.10 in debian/patches/features/all/ethernet-microsoft. [1] [2]
The upstream fix applies on top of our patched 6.1 kernel with an
offset. [3]
I didn't propose a fix to the security-tracker data because I don't know the file format well enough.
I can prepare a merge request to the kernel package if that would help.
Thanks I will shortly have a look at that as I'm rebasing 6.1.y for bookworm for the next upload.
Investigating this further I believe we have the same problem as well
for CVE-2024-42069.
Hi Noah,
On Fri, Feb 28, 2025 at 01:58:18PM -0500, Noah Meyerhans wrote:
Source: linux
Version: 6.1.128-1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
I believe CVE-2024-45001 (RX buf alloc_size alignment and atomic op
panic) is miscategorized as not impacting bookworm. The issue is with
the net/ethernet/microsoft/mana driver and was introduced in linux 6.10, which is likely why the security-tracker contains the note "Vulnerable
code not present" for bookworm. However, bookworm contains a backported version of this driver from 6.10 in debian/patches/features/all/ethernet-microsoft. [1] [2]
The upstream fix applies on top of our patched 6.1 kernel with an
offset. [3]
I didn't propose a fix to the security-tracker data because I don't know the file format well enough.
I can prepare a merge request to the kernel package if that would help.
Thanks I will shortly have a look at that as I'm rebasing 6.1.y for
bookworm for the next upload.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 491 |
Nodes: | 16 (2 / 14) |
Uptime: | 136:33:04 |
Calls: | 9,692 |
Calls today: | 2 |
Files: | 13,728 |
Messages: | 6,177,929 |