[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] 5 Linux kernel ksmbd vulnerabilities
From:       Hauke Mehrtens <hauke () hauke-m ! de>
Date:       2024-03-20 0:32:25
Message-ID: 8e716095-2a6c-4e39-bb3a-064a3c482f2a () hauke-m ! de
[Download RAW message or body]

On 3/19/24 04:30, Alexander E. Patrakov wrote:
> On Tue, Mar 19, 2024 at 6:11 AM daniel <sd@x17.eu> wrote:
>>
>> Recently two batches of Linux kernel ksmbd vulnerabilities became public.
>>
>> Please find here an overview, the attached ZDI information and the
>> corresponding links to the Linux kernel cve announce messages with
>> further information.
> 
> I am personally worried about the situation with OpenWrt which would
> need a new stable release to address this. However, they use a manual
> backport of this to the 5.15.x kernel.
> 
Hi,

OpenWrt 23.05 uses kernel 5.15 and the ksmbd implementation found in 
this upstream kernel version. OpenWrt plans to do a new service release 
23.05.3 in the next days anyway with kernel 5.15.150. This should 
contain all needed fixes.

OpenWrt 22.03 uses ksmbd from https://github.com/cifsd-team/ksmbd in 
version 3.4.7. This is probably affected by these problems.
Maybe we will update this to 3.4.9 or backport the patches fixing 
security problems. OpenWrt 22.03 will be EoL in April 2024 anyway.

Hauke
[prev in list] [next in list] [prev in thread] [next in thread]