On Fri, May 18, 2018 at 09:00:07AM -0700, Guenter Roeck wrote:
On Fri, May 18, 2018 at 04:52:07PM +0200, Greg Kroah-Hartman wrote:
On Fri, May 18, 2018 at 06:47:46AM -0700, Guenter Roeck wrote:
Hi Greg,
please apply commit dd83c161fbc ("kernel/exit.c: avoid undefined behaviour when calling wait4()") to v4.9.y and older to fix CVE-2018-10087.
Odd no one asked for that one to be backported before :(
Not entirely surprising. The patch is from July 2017, it wasn't marked for stable, and the CVE has been created only recently (04/13/2018). CVE severity and the reference to the upstream commit were added yesterday, which caused our CVE tracker to barf at me.
Who applied for the CVE number? They should have been the ones to notify people of the issue, so who should I go kick about this? :)
thanks,
greg k-h