| Message ID | 20240513121827.10658-1-bethany.jamison@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2024-26642 | expand |
On 5/13/24 14:18, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: > > netfilter: nf_tables: disallow anonymous set with timeout flag > > Anonymous sets are never used with timeout from userspace, reject this. > Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work. > > [Fix] > > Noble: pending > Mantic: Clean cherry-pick from linux-6.6.y > Jammy: Mantic patch applied cleanly. > Focal: Clean cherry-pick from linux-5.4.y > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: not-affected > > [Test Case] > > Compile and boot tested. > > [Where issues could occur] > > This fix affects those who use the nftables network framework, an issue > with this fix would be visible to the user via unexpected behavior > surrounding anonymous sets and userspace timeout. > > Pablo Neira Ayuso (1): > netfilter: nf_tables: disallow anonymous set with timeout flag > > net/netfilter/nf_tables_api.c | 3 +++ > 1 file changed, 3 insertions(+) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On Mon, 2024-05-13 at 14:18 +0200, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: > > netfilter: nf_tables: disallow anonymous set with timeout flag > > Anonymous sets are never used with timeout from userspace, reject > this. > Exception to this rule is NFT_SET_EVAL to ensure legacy meters still > work. > > [Fix] > > Noble: pending > Mantic: Clean cherry-pick from linux-6.6.y > Jammy: Mantic patch applied cleanly. > Focal: Clean cherry-pick from linux-5.4.y > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: not-affected > > [Test Case] > > Compile and boot tested. > > [Where issues could occur] > > This fix affects those who use the nftables network framework, an > issue > with this fix would be visible to the user via unexpected behavior > surrounding anonymous sets and userspace timeout. > > Pablo Neira Ayuso (1): > netfilter: nf_tables: disallow anonymous set with timeout flag > > net/netfilter/nf_tables_api.c | 3 +++ > 1 file changed, 3 insertions(+) > > -- > 2.34.1 > >
On 13/05/2024 14:18, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: > > netfilter: nf_tables: disallow anonymous set with timeout flag > > Anonymous sets are never used with timeout from userspace, reject this. > Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work. > > [Fix] > > Noble: pending > Mantic: Clean cherry-pick from linux-6.6.y > Jammy: Mantic patch applied cleanly. > Focal: Clean cherry-pick from linux-5.4.y > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: not-affected > > [Test Case] > > Compile and boot tested. > > [Where issues could occur] > > This fix affects those who use the nftables network framework, an issue > with this fix would be visible to the user via unexpected behavior > surrounding anonymous sets and userspace timeout. > > Pablo Neira Ayuso (1): > netfilter: nf_tables: disallow anonymous set with timeout flag > > net/netfilter/nf_tables_api.c | 3 +++ > 1 file changed, 3 insertions(+) > Applied to mantic:linux, jammy:linux, focal:linux master-next branches. Thanks!