Hi, Jan-san, Thanks for your confirmation! Iwamatsu-san, Could you turn off both features from the following configs? > > - CVE-2020-35519 is relating to X.25. > >> 4.19.y-cip-rt/x86/siemens_i386-rt.config:CONFIG_X25=m > >> 5.10.y-cip-rt/x86/siemens_i386-rt_defconfig:CONFIG_X25=m > > - CVE-2021-20261 is relating to floppy. > >> 4.4.y-cip-rt/x86/siemens_i386-rt.config:CONFIG_BLK_DEV_FD=m Best regards, -- M. Kudo > -----Original Message----- > From: Jan Kiszka > Sent: Friday, March 19, 2021 5:06 PM > To: 工藤 雅司(CTJ OSS事業推進室) ; > minmin@plathome.co.jp; cip-dev@lists.cip-project.org > Cc: pavel@denx.de; nobuhiro1.iwamatsu@toshiba.co.jp; wens@csie.org > Subject: Re: [Feedback Requested] RE: Cip-kernel-sec Updates for Week of > 2021-03-18 > > On 18.03.21 10:33, masashi.kudo@cybertrust.co.jp wrote: > > Hi, Jan-san, Minda-san, > > > > Please find the CVE report as follows. > > In the analysis of those CVEs, we found some doubts about the configs. > > > > - CVE-2020-35519 is relating to X.25. > > X.25 is enabled as follows, but we wonder whether X.25 is really used or not. > >> 4.4.y-cip/x86/plathome_obsvx1.config:CONFIG_X25=m > >> 4.19.y-cip-rt/x86/siemens_i386-rt.config:CONFIG_X25=m > >> 5.10.y-cip-rt/x86/siemens_i386-rt_defconfig:CONFIG_X25=m > > > > Please confirm, and let us know whether X.25 should be disabled. > > > > - CVE-2021-20261 is relating to floppy. > > It is enabled as follows. > >> 4.4.y-cip-rt/x86/siemens_i386-rt.config:CONFIG_BLK_DEV_FD=m > > > > Please confirm that this can be also disabled. > > > > Yes, both features can be turned off. > > Thanks, > Jan > > > Best regards, > > -- > > M. Kudo > > > >> -----Original Message----- > >> From: Chen-Yu Tsai > >> Sent: Thursday, March 18, 2021 5:48 PM > >> To: cip-dev@lists.cip-project.org > >> Cc: Pavel Machek ; Nobuhiro Iwamatsu > >> ; 工藤 雅司(CTJ OSS事業推進室) > >> > >> Subject: Cip-kernel-sec Updates for Week of 2021-03-18 > >> > >> Hi everyone, > >> > >> Six new issues this week from the Ubuntu tracker: > >> > >> - CVE-2020-35519 [net/x25: buffer overflow] - fixed > >> Looks like a few configs still have X.25 enabled: > >> 4.4.y-cip/x86/plathome_obsvx1.config:CONFIG_X25=m > >> 4.19.y-cip-rt/x86/siemens_i386-rt.config:CONFIG_X25=m > >> 5.10.y-cip-rt/x86/siemens_i386-rt_defconfig:CONFIG_X25=m > >> Maybe they should be revisited? cip-kernel-config also gives warnings > >> for CONFIG_X25. > >> > >> - CVE-2021-20219 [improper synchronization in flush_to_ldisc()] - > >> likely RedHat only > >> Report mentions incorrect backport in RedHat kernels. > >> > >> - CVE-2021-20261 [floppy: race condition data corruption] - fixed > >> No member enables this except: > >> 4.4.y-cip-rt/x86/siemens_i386-rt.config:CONFIG_BLK_DEV_FD=m > >> which should probably be turned off. > >> > >> - CVE-2021-28375 [fastrpc: allows sending kernel RPCs] - fixed > >> No member enables this. > >> > >> - CVE-2021-28660 [rtl8188eu: array access out-of-bounds] - fixed > >> No member enables this. > >> > >> - CVE-2021-3428 [integer overflow in ext4_es_cache_extent] - unclear [1] > >> Requires a specially-crafted ext4 FS image, so we likely don't care. > >> > >> Unfortunately Debian's Salsa service, where the Debian kernel > >> security issue tracker is hosted, is currently down, so we only have one source > of data this week. > >> > >> > >> Regards > >> ChenYu > >> > >> > >> [1] > >> https://lore.kernel.org/stable/20210317151834.GE2541@quack2.suse.cz/ > > > -- > Siemens AG, T RDA IOT > Corporate Competence Center Embedded Linux