From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Juergen Gross <jgross@suse.com>
Cc: cve@kernel.org, linux-kernel@vger.kernel.org,
"security@xenproject.org" <security@xenproject.org>
Subject: Re: CVE-2021-47573: xen/blkfront: harden blkfront against event channel storms
Date: Thu, 20 Jun 2024 10:18:41 +0200 [thread overview]
Message-ID: <2024062034-pork-limes-2c4c@gregkh> (raw)
In-Reply-To: <769040d1-fc9c-47a7-a4b5-93c693472624@suse.com>
On Thu, Jun 20, 2024 at 09:53:02AM +0200, Juergen Gross wrote:
> On 19.06.24 16:54, Greg Kroah-Hartman wrote:
> > Description
> > ===========
> >
> > In the Linux kernel, the following vulnerability has been resolved:
> >
> > xen/blkfront: harden blkfront against event channel storms
> >
> > The Xen blkfront driver is still vulnerable for an attack via excessive
> > number of events sent by the backend. Fix that by using lateeoi event
> > channels.
> >
> > This is part of XSA-391
> >
> > The Linux kernel CVE team has assigned CVE-2021-47573 to this issue.
>
> When issuing XSA-391 the Xen security team already assigned CVE-2021-28711
> to this issue.
Cool, but why was that not documented in the CVE entry itself? I search
the existing CVE database when assigning CVEs for older things like this
(the import of the GSD database), and if there is no reference in the
CVE entry, then I have to assume that no CVE was assigned to the commit.
I'll go reject this one (and the other ones you pointed out), but can
you please update the CVE json entry with the information and ids of the
fixed commits so that everyone can correctly track these?
Also, the XSA-391 announcement doesn't say anything about them either,
is that intentional?
thanks,
greg k-h
next prev parent reply other threads:[~2024-06-20 8:18 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <2024061911-CVE-2021-47573-5c43@gregkh>
2024-06-20 7:53 ` CVE-2021-47573: xen/blkfront: harden blkfront against event channel storms Juergen Gross
2024-06-20 8:18 ` Greg Kroah-Hartman [this message]
2024-06-20 8:46 ` Jan Beulich
2024-06-20 9:20 ` Greg Kroah-Hartman
2024-06-20 9:32 ` Jan Beulich
2024-06-20 9:41 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2024062034-pork-limes-2c4c@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=cve@kernel.org \
--cc=jgross@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=security@xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox