[cip-dev] [Inquiry for CVE-2021-23133] -- necessity of the backporting

[cip-dev] [Inquiry for CVE-2021-23133] -- necessity of the backporting

[masashi.kudo]

[-- Attachment #1: Type: text/plain, Size: 572 bytes --]

Hi, Jan-san, Minda-san,

https://lists.cip-project.org/g/cip-dev/message/6382
As was reported by Chen-Yu san last week, the following CVE security patch is not yet backported to kernels before 5.4.
	CVE-2021-23133 [net/sctp: race in sctp_destroy_sock]

At this moment, sctp is enabled on PlatHome boards and Siemens boards.
We wonder whether sctp is really used or not. If not used, we would recommend to disable sctp for those boards, and we won't work on backporting this patch..

We are looking forward to hearing back from you.

Best regards,
--
M. Kudo

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6394): https://lists.cip-project.org/g/cip-dev/message/6394
Mute This Topic: https://lists.cip-project.org/mt/82371605/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] [Inquiry for CVE-2021-23133] -- necessity of the backporting

[Jan Kiszka]

[-- Attachment #1: Type: text/plain, Size: 993 bytes --]

On 26.04.21 07:49, masashi.kudo@cybertrust.co.jp wrote:
> Hi, Jan-san, Minda-san,
> 
> https://lists.cip-project.org/g/cip-dev/message/6382
> As was reported by Chen-Yu san last week, the following CVE security patch is not yet backported to kernels before 5.4.
> 	CVE-2021-23133 [net/sctp: race in sctp_destroy_sock]
> 
> At this moment, sctp is enabled on PlatHome boards and Siemens boards.
> We wonder whether sctp is really used or not. If not used, we would recommend to disable sctp for those boards, and we won't work on backporting this patch..
> 
> We are looking forward to hearing back from you.
> 

I can try to listen around, but I see way more users (based on configs) than us:

https://gitlab.com/search?utf8=%E2%9C%93&search=CONFIG_IP_SCTP&group_id=2748814&project_id=6052798&scope=&search_code=true&snippets=false&repository_ref=master&nav_source=navbar

In that light, a backport might be required.

Jan

-- 
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6396): https://lists.cip-project.org/g/cip-dev/message/6396
Mute This Topic: https://lists.cip-project.org/mt/82371605/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] [Inquiry for CVE-2021-23133] -- necessity of the backporting

[Nobuhiro Iwamatsu]

[-- Attachment #1: Type: text/plain, Size: 1701 bytes --]

Hi,

> -----Original Message-----
> From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Jan Kiszka
> Sent: Monday, April 26, 2021 10:09 PM
> To: masashi.kudo@cybertrust.co.jp; minmin@plathome.co.jp; cip-dev@lists.cip-project.org
> Subject: Re: [cip-dev] [Inquiry for CVE-2021-23133] -- necessity of the backporting
> 
> On 26.04.21 07:49, masashi.kudo@cybertrust.co.jp wrote:
> > Hi, Jan-san, Minda-san,
> >
> > https://lists.cip-project.org/g/cip-dev/message/6382
> > As was reported by Chen-Yu san last week, the following CVE security patch is not yet backported to kernels before
> 5.4.
> > 	CVE-2021-23133 [net/sctp: race in sctp_destroy_sock]
> >
> > At this moment, sctp is enabled on PlatHome boards and Siemens boards.
> > We wonder whether sctp is really used or not. If not used, we would recommend to disable sctp for those boards, and
> we won't work on backporting this patch..
> >
> > We are looking forward to hearing back from you.
> >
> 
> I can try to listen around, but I see way more users (based on configs) than us:
> 
> https://gitlab.com/search?utf8=%E2%9C%93&search=CONFIG_IP_SCTP&group_id=2748814&project_id=6052798&scope=&search_
> code=true&snippets=false&repository_ref=master&nav_source=navbar
> 
> In that light, a backport might be required.

This CVE patch has already been backported and will be included if there are no issues.

 4.19.189-rc1: https://lore.kernel.org/stable/20210426072820.621580223@linuxfoundation.org/
 4.4.268-rc1: https://lore.kernel.org/stable/20210426072816.631201988@linuxfoundation.org/

And 5.10.y has been fixed in 5.10.32.

> 
> Jan

Best regards,
  Nobuhiro

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6397): https://lists.cip-project.org/g/cip-dev/message/6397
Mute This Topic: https://lists.cip-project.org/mt/82371605/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] [Inquiry for CVE-2021-23133] -- necessity of the backporting

[masashi.kudo]

[-- Attachment #1: Type: text/plain, Size: 2386 bytes --]

Hi, Jan-san,

Thanks for your feedback.

Iwamatsu-san,

Thanks for sharing the latest status.
So, let me drop this request.

Best regards,
--
M. Kudo

> -----Original Message-----
> From: nobuhiro1.iwamatsu@toshiba.co.jp <nobuhiro1.iwamatsu@toshiba.co.jp>
> Sent: Tuesday, April 27, 2021 9:32 AM
> To: cip-dev@lists.cip-project.org; 工藤　雅司（CTJ　OSS・IoT事業部　IoT技術
> 本部） <masashi.kudo@cybertrust.co.jp>; minmin@plathome.co.jp
> Subject: RE: [cip-dev] [Inquiry for CVE-2021-23133] -- necessity of the
> backporting
> 
> Hi,
> 
> > -----Original Message-----
> > From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On
> Behalf Of Jan Kiszka
> > Sent: Monday, April 26, 2021 10:09 PM
> > To: masashi.kudo@cybertrust.co.jp; minmin@plathome.co.jp;
> cip-dev@lists.cip-project.org
> > Subject: Re: [cip-dev] [Inquiry for CVE-2021-23133] -- necessity of the
> backporting
> >
> > On 26.04.21 07:49, masashi.kudo@cybertrust.co.jp wrote:
> > > Hi, Jan-san, Minda-san,
> > >
> > > https://lists.cip-project.org/g/cip-dev/message/6382
> > > As was reported by Chen-Yu san last week, the following CVE security patch
> is not yet backported to kernels before
> > 5.4.
> > > 	CVE-2021-23133 [net/sctp: race in sctp_destroy_sock]
> > >
> > > At this moment, sctp is enabled on PlatHome boards and Siemens boards.
> > > We wonder whether sctp is really used or not. If not used, we would
> recommend to disable sctp for those boards, and
> > we won't work on backporting this patch..
> > >
> > > We are looking forward to hearing back from you.
> > >
> >
> > I can try to listen around, but I see way more users (based on configs) than us:
> >
> >
> https://gitlab.com/search?utf8=%E2%9C%93&search=CONFIG_IP_SCTP&group
> _id=2748814&project_id=6052798&scope=&search_
> > code=true&snippets=false&repository_ref=master&nav_source=navbar
> >
> > In that light, a backport might be required.
> 
> This CVE patch has already been backported and will be included if there are no
> issues.
> 
>  4.19.189-rc1:
> https://lore.kernel.org/stable/20210426072820.621580223@linuxfoundation.org
> /
>  4.4.268-rc1:
> https://lore.kernel.org/stable/20210426072816.631201988@linuxfoundation.org
> /
> 
> And 5.10.y has been fixed in 5.10.32.
> 
> >
> > Jan
> 
> Best regards,
>   Nobuhiro

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6398): https://lists.cip-project.org/g/cip-dev/message/6398
Mute This Topic: https://lists.cip-project.org/mt/82371605/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-