* [Intel-wired-lan] Further information on CVE-2019-0145/CVE-2019-0146/CVE-2019-0147/CVE-2019-0148/CVE-2019-0149 for Linux?
@ 2020-07-16 20:39 Moritz Muehlenhoff
2020-07-28 18:10 ` Jesse Brandeburg
0 siblings, 1 reply; 5+ messages in thread
From: Moritz Muehlenhoff @ 2020-07-16 20:39 UTC (permalink / raw)
To: intel-wired-lan
Hi,
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00255.html refers
to vulnerabilities in Intel Ethernet drivers and a few of them refer to the i40e driver
specifically:
CVEID: CVE-2019-0145
Description: Buffer overflow in i40e driver for Intel(R) Ethernet 700 Series Controllers
versions before 7.0 may allow an authenticated user to potentially enable an escalation
of privilege via local access.
CVEID: CVE-2019-0146
Description: Resource leak in i40e driver for Intel(R) Ethernet 700 Series Controllers
versions before 2.8.43 may allow an authenticated user to potentially enable a denial of
service via local access.
CVEID: CVE-2019-0147
Description: Insufficient input validation in i40e driver for Intel(R) Ethernet 700 Series
Controllers versions before 7.0 may allow an authenticated user to potentially enable a
denial of service via local access.
CVEID: CVE-2019-0148
Description: Resource leak in i40e driver for Intel(R) Ethernet 700 Series Controllers
versions before 7.0 may allow an authenticated use to potentially enable a denial of
service via local access.
CVEID: CVE-2019-0149
Description: Insufficient input validation in i40e driver for Intel(R) Ethernet 700
Series Controllers versions before 2.8.43 may allow an authenticated user to potentially
enable a denial of service via local access.
Is there any further information which commits fixed these and if so, were they submitted
to stable kernels? (The Debian kernels are based on 4.9.x and 4.19.x LTS kernels, so that
we can make sure these are addressed in stable/oldstable releases)
Cheers,
Moritz
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Intel-wired-lan] Further information on CVE-2019-0145/CVE-2019-0146/CVE-2019-0147/CVE-2019-0148/CVE-2019-0149 for Linux?
2020-07-16 20:39 [Intel-wired-lan] Further information on CVE-2019-0145/CVE-2019-0146/CVE-2019-0147/CVE-2019-0148/CVE-2019-0149 for Linux? Moritz Muehlenhoff
@ 2020-07-28 18:10 ` Jesse Brandeburg
2020-08-02 21:04 ` Moritz =?unknown-8bit?q?M=C3=BChlenhoff?=
2020-08-10 18:47 ` Salvatore Bonaccorso
0 siblings, 2 replies; 5+ messages in thread
From: Jesse Brandeburg @ 2020-07-28 18:10 UTC (permalink / raw)
To: intel-wired-lan
On Thu, 16 Jul 2020, Moritz Muehlenhoff wrote:
> Hi,
> https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00255.html refers
> to vulnerabilities in Intel Ethernet drivers and a few of them refer to the i40e driver
> specifically:
I'm sorry Moritz that we haven't gotten back to you. We are chasing down
the specific patches made upstream for software portions of the below
fixes.
> CVEID: CVE-2019-0145
> Description: Buffer overflow in i40e driver for Intel(R) Ethernet 700 Series Controllers
> versions before 7.0 may allow an authenticated user to potentially enable an escalation
> of privilege via local access.
>
> CVEID: CVE-2019-0146
> Description: Resource leak in i40e driver for Intel(R) Ethernet 700 Series Controllers
> versions before 2.8.43 may allow an authenticated user to potentially enable a denial of
> service via local access.
>
> CVEID: CVE-2019-0147
> Description: Insufficient input validation in i40e driver for Intel(R) Ethernet 700 Series
> Controllers versions before 7.0 may allow an authenticated user to potentially enable a
> denial of service via local access.
>
> CVEID: CVE-2019-0148
> Description: Resource leak in i40e driver for Intel(R) Ethernet 700 Series Controllers
> versions before 7.0 may allow an authenticated use to potentially enable a denial of
> service via local access.
>
> CVEID: CVE-2019-0149
> Description: Insufficient input validation in i40e driver for Intel(R) Ethernet 700
> Series Controllers versions before 2.8.43 may allow an authenticated user to potentially
> enable a denial of service via local access.
>
> Is there any further information which commits fixed these and if so, were they submitted
> to stable kernels? (The Debian kernels are based on 4.9.x and 4.19.x LTS kernels, so that
> we can make sure these are addressed in stable/oldstable releases)
We will get you the information, it was a mistake on our part to not
mention CVEs in the commit messages if/when we upstreamed the patches. The
only thing I can say for sure is that these have been addressed in our
Out-of-tree drivers, but I realize that is not your question.
Thanks for your patience,
Jesse
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Intel-wired-lan] Further information on CVE-2019-0145/CVE-2019-0146/CVE-2019-0147/CVE-2019-0148/CVE-2019-0149 for Linux?
2020-07-28 18:10 ` Jesse Brandeburg
@ 2020-08-02 21:04 ` Moritz =?unknown-8bit?q?M=C3=BChlenhoff?=
2020-08-10 18:47 ` Salvatore Bonaccorso
1 sibling, 0 replies; 5+ messages in thread
From: Moritz =?unknown-8bit?q?M=C3=BChlenhoff?= @ 2020-08-02 21:04 UTC (permalink / raw)
To: intel-wired-lan
On Tue, Jul 28, 2020 at 11:10:27AM -0700, Jesse Brandeburg wrote:
>
>
> On Thu, 16 Jul 2020, Moritz Muehlenhoff wrote:
>
> > Hi,
> > https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00255.html refers
> > to vulnerabilities in Intel Ethernet drivers and a few of them refer to the i40e driver
> > specifically:
>
> I'm sorry Moritz that we haven't gotten back to you. We are chasing down the
> specific patches made upstream for software portions of the below fixes.
Thanks!
Cheers,
Moritz
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Intel-wired-lan] Further information on CVE-2019-0145/CVE-2019-0146/CVE-2019-0147/CVE-2019-0148/CVE-2019-0149 for Linux?
2020-07-28 18:10 ` Jesse Brandeburg
2020-08-02 21:04 ` Moritz =?unknown-8bit?q?M=C3=BChlenhoff?=
@ 2020-08-10 18:47 ` Salvatore Bonaccorso
2020-08-10 21:59 ` Jesse Brandeburg
1 sibling, 1 reply; 5+ messages in thread
From: Salvatore Bonaccorso @ 2020-08-10 18:47 UTC (permalink / raw)
To: intel-wired-lan
Hi Jessie,
On Tue, Jul 28, 2020 at 11:10:27AM -0700, Jesse Brandeburg wrote:
>
>
> On Thu, 16 Jul 2020, Moritz Muehlenhoff wrote:
>
> > Hi,
> > https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00255.html refers
> > to vulnerabilities in Intel Ethernet drivers and a few of them refer to the i40e driver
> > specifically:
>
> I'm sorry Moritz that we haven't gotten back to you. We are chasing down the
> specific patches made upstream for software portions of the below fixes.
>
> > CVEID: CVE-2019-0145
> > Description: Buffer overflow in i40e driver for Intel(R) Ethernet 700 Series Controllers
> > versions before 7.0 may allow an authenticated user to potentially enable an escalation
> > of privilege via local access.
> >
> > CVEID: CVE-2019-0146
> > Description: Resource leak in i40e driver for Intel(R) Ethernet 700 Series Controllers
> > versions before 2.8.43 may allow an authenticated user to potentially enable a denial of
> > service via local access.
> >
> > CVEID: CVE-2019-0147
> > Description: Insufficient input validation in i40e driver for Intel(R) Ethernet 700 Series
> > Controllers versions before 7.0 may allow an authenticated user to potentially enable a
> > denial of service via local access.
> >
> > CVEID: CVE-2019-0148
> > Description: Resource leak in i40e driver for Intel(R) Ethernet 700 Series Controllers
> > versions before 7.0 may allow an authenticated use to potentially enable a denial of
> > service via local access.
> >
> > CVEID: CVE-2019-0149
> > Description: Insufficient input validation in i40e driver for Intel(R) Ethernet 700
> > Series Controllers versions before 2.8.43 may allow an authenticated user to potentially
> > enable a denial of service via local access.
> >
> > Is there any further information which commits fixed these and if so, were they submitted
> > to stable kernels? (The Debian kernels are based on 4.9.x and 4.19.x LTS kernels, so that
> > we can make sure these are addressed in stable/oldstable releases)
>
> We will get you the information, it was a mistake on our part to not mention
> CVEs in the commit messages if/when we upstreamed the patches. The only
> thing I can say for sure is that these have been addressed in our
> Out-of-tree drivers, but I realize that is not your question.
Thanks a lot as well for coming back to the question from Moritz, much
appreiciated.
I noted here was a submission for i40e fixes to stable, as
https://lore.kernel.org/stable/20200807205517.1740307-1-jesse.brandeburg at intel.com/
. Is any of those referring to one of the above?
Thanks already for your time,
Regards,
Salvatore
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Intel-wired-lan] Further information on CVE-2019-0145/CVE-2019-0146/CVE-2019-0147/CVE-2019-0148/CVE-2019-0149 for Linux?
2020-08-10 18:47 ` Salvatore Bonaccorso
@ 2020-08-10 21:59 ` Jesse Brandeburg
0 siblings, 0 replies; 5+ messages in thread
From: Jesse Brandeburg @ 2020-08-10 21:59 UTC (permalink / raw)
To: intel-wired-lan
On Mon, 10 Aug 2020 20:47:31 +0200
Salvatore Bonaccorso <carnil@debian.org> wrote:
> > We will get you the information, it was a mistake on our part to
> > not mention CVEs in the commit messages if/when we upstreamed the
> > patches. The only thing I can say for sure is that these have been
> > addressed in our Out-of-tree drivers, but I realize that is not
> > your question.
>
> Thanks a lot as well for coming back to the question from Moritz, much
> appreiciated.
>
> I noted here was a submission for i40e fixes to stable, as
> https://lore.kernel.org/stable/20200807205517.1740307-1-jesse.brandeburg at intel.com/
> . Is any of those referring to one of the above?
>
> Thanks already for your time,
The patches to address the above issues are part of mainline kernel
5.2.0, and (upcoming) stable kernel 4.19.139, however I'm not sure if
there is anything else I need to do in order to have them backported to
4.9.y.
I hope that helps you! Thanks for bringing it to our attention.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-08-10 21:59 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-16 20:39 [Intel-wired-lan] Further information on CVE-2019-0145/CVE-2019-0146/CVE-2019-0147/CVE-2019-0148/CVE-2019-0149 for Linux? Moritz Muehlenhoff
2020-07-28 18:10 ` Jesse Brandeburg
2020-08-02 21:04 ` Moritz =?unknown-8bit?q?M=C3=BChlenhoff?=
2020-08-10 18:47 ` Salvatore Bonaccorso
2020-08-10 21:59 ` Jesse Brandeburg
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.