From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.kernel.org ([198.145.29.99]:35260 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752336AbeESHpM (ORCPT ); Sat, 19 May 2018 03:45:12 -0400 Date: Sat, 19 May 2018 09:44:54 +0200 From: Greg Kroah-Hartman To: Guenter Roeck Cc: stable Subject: Re: Please apply dd83c161fbcc ("kernel/exit.c: avoid undefined behaviour when calling wait4()") to v4.9.y and older Message-ID: <20180519074454.GA5925@kroah.com> References: <7d456b92-3cd8-25f8-83a2-0f0ab5edb7f6@roeck-us.net> <20180518145207.GB3569@kroah.com> <20180518160007.GA5123@roeck-us.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180518160007.GA5123@roeck-us.net> Sender: stable-owner@vger.kernel.org List-ID: On Fri, May 18, 2018 at 09:00:07AM -0700, Guenter Roeck wrote: > On Fri, May 18, 2018 at 04:52:07PM +0200, Greg Kroah-Hartman wrote: > > On Fri, May 18, 2018 at 06:47:46AM -0700, Guenter Roeck wrote: > > > Hi Greg, > > > > > > please apply commit dd83c161fbc ("kernel/exit.c: avoid undefined behaviour when calling wait4()") > > > to v4.9.y and older to fix CVE-2018-10087. > > > > Odd no one asked for that one to be backported before :( > > > > Not entirely surprising. The patch is from July 2017, it wasn't marked > for stable, and the CVE has been created only recently (04/13/2018). > CVE severity and the reference to the upstream commit were added > yesterday, which caused our CVE tracker to barf at me. Who applied for the CVE number? They should have been the ones to notify people of the issue, so who should I go kick about this? :) thanks, greg k-h