Hi Ben,
On Tue, Aug 24, 2021 at 12:37 AM Ben Greear greearb@candelatech.com wrote:
On 8/23/21 7:08 AM, Pali Rohár wrote:
Hello Sasha and Greg!
Last week I sent request for backporting ath9k wifi fixes for security issue CVE-2020-3702 into stable LTS kernels because Qualcomm/maintainers did not it for more months... details are in email: https://lore.kernel.org/stable/20210818084859.vcs4vs3yd6zetmyt@pali/t/#u
For one thing, almost everyone using these radios is using openwrt or similar which has its own patch sets.
For reference, according to Debian's own security tracker, only CVE-2020-26139 is patched on all but the most ancient tracked release:
https://security-tracker.debian.org/tracker/CVE-2020-26139 (fixed in all but the most ancient release) https://security-tracker.debian.org/tracker/CVE-2020-3702 (all tracked kernels are vulnerable) https://security-tracker.debian.org/tracker/CVE-2020-26145 (only testing/unstable is fixed) https://security-tracker.debian.org/tracker/CVE-2020-26141 (only testing/unstable is fixed)
Debian Buster has a 4.19 kernel and they only released Bullseye, it's successor, a couple of weeks ago, so there's probably a not-insignificant number of PCs out there still running kernels that old, and I understand that they'll be supporting Buster with security fixes for approximately another year: https://www.debian.org/security/faq#lifespan
Thanks,