[Git][security-tracker-team/security-tracker][master] Mark firmware-nonfree issues as ignored for bookworm to start with

Salvatore Bonaccorso (@carnil) carnil at debian.org
Wed Oct 30 21:14:55 GMT 2024 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
360f515e by Salvatore Bonaccorso at 2024-10-30T22:09:28+01:00
Mark firmware-nonfree issues as ignored for bookworm to start with

In the Debian kernel team meeting from 2024-10-30 the issue around
firmware-nonfree updates was discussed.

It was agreed to try to approach upstream (in particular as most of the
CVEs are for Intel provided firmware) and try to get information on
which respective linux-firmware.git commits address the CVEs.

The team agreed that across the supported suites we won't want to rebase
the package to a newer version in stable or oldstabe (risky for
regressions, blobs which are removed might break functionality of
running systems).

It might only become necessary once in a suite a kernel is rebased to a
newer upstream stable version.

Link: https://meetbot.debian.net/debian-kernel/2024/debian-kernel.2024-10-30-20.00.html

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -44300,7 +44300,7 @@ CVE-2023-47282 (Out-of-bounds write in Intel(R) Media SDK all versions and some
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00935.html
 CVE-2023-47210 (Improper input validation for some Intel(R) PROSet/Wireless WiFi softw ...)
 	- firmware-nonfree 20240610-1
-	[bookworm] - firmware-nonfree <no-dsa> (Minor issue)
+	[bookworm] - firmware-nonfree <ignored> (Minor issue; potentially revisit once upstream commits clarified/identified)
 	[bullseye] - firmware-nonfree <no-dsa> (Minor issue)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html
 CVE-2023-47169 (Improper buffer restrictions in Intel(R) Media SDK software all versio ...)
@@ -44393,7 +44393,7 @@ CVE-2023-38420 (Improper conditions check in Intel(R) Power Gadget software for
 	NOT-FOR-US: Intel
 CVE-2023-38417 (Improper input validation for some Intel(R) PROSet/Wireless WiFi softw ...)
 	- firmware-nonfree 20240610-1
-	[bookworm] - firmware-nonfree <no-dsa> (Minor issue)
+	[bookworm] - firmware-nonfree <ignored> (Minor issue; potentially revisit once upstream commits clarified/identified)
 	[bullseye] - firmware-nonfree <no-dsa> (Minor issue)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html
 CVE-2023-38399 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
@@ -73280,7 +73280,7 @@ CVE-2023-35062 (Improper access control in some Intel(R) DSA software before ver
 	NOT-FOR-US: Intel
 CVE-2023-35061 (Improper initialization for the Intel(R) PROSet/Wireless and Intel(R)  ...)
 	- firmware-nonfree 20240610-1 (bug #1064229)
-	[bookworm] - firmware-nonfree <no-dsa> (Non-free not supported)
+	[bookworm] - firmware-nonfree <ignored> (Minor issue; potentially revisit once upstream commits clarified/identified)
 	[bullseye] - firmware-nonfree <no-dsa> (Non-free not supported)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html
 	NOTE: Fixed upstream in linux-firmware/20231211
@@ -79117,7 +79117,7 @@ CVE-2023-51381
 	REJECTED
 CVE-2023-4969 (A GPU kernel can read sensitive data from another GPU kernel (even fro ...)
 	- firmware-nonfree 20240610-1 (bug #1061460)
-	[bookworm] - firmware-nonfree <postponed> (Minor issue, revisit when updates are available around March 2024)
+	[bookworm] - firmware-nonfree <ignored> (Minor issue; potentially revisit once upstream commits clarified/identified)
 	[bullseye] - firmware-nonfree <no-dsa> (Non-free not supported)
 	[buster] - firmware-nonfree <postponed> (Minor issue, revisit when updates are available)
 	NOTE: https://blog.trailofbits.com/2024/01/16/leftoverlocals-listening-to-llm-responses-through-leaked-gpu-local-memory/
@@ -151987,7 +151987,7 @@ CVE-2022-46646 (Exposure of sensitive information to an unauthorized actor for s
 CVE-2022-46329 (Protection mechanism failure for some Intel(R) PROSet/Wireless WiFi so ...)
 	{DLA-3596-1}
 	- firmware-nonfree 20240610-1 (bug #1051892)
-	[bookworm] - firmware-nonfree <no-dsa> (Non-free not supported)
+	[bookworm] - firmware-nonfree <ignored> (Minor issue; potentially revisit once upstream commits clarified/identified)
 	[bullseye] - firmware-nonfree <no-dsa> (Non-free not supported)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00766.html
 	NOTE: Fixed upstream in linux-firmware/20230804
@@ -169617,7 +169617,7 @@ CVE-2022-40970
 CVE-2022-40964 (Improper access control for some Intel(R) PROSet/Wireless WiFi and Kil ...)
 	{DLA-3596-1}
 	- firmware-nonfree 20240610-1 (bug #1051892)
-	[bookworm] - firmware-nonfree <no-dsa> (Non-free not supported)
+	[bookworm] - firmware-nonfree <ignored> (Minor issue; potentially revisit once upstream commits clarified/identified)
 	[bullseye] - firmware-nonfree <no-dsa> (Non-free not supported)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00766.html
 	NOTE: Fixed upstream in linux-firmware/20230804
@@ -179031,7 +179031,7 @@ CVE-2022-38087 (Exposure of resource to wrong sphere in BIOS firmware for some I
 CVE-2022-38076 (Improper input validation in some Intel(R) PROSet/Wireless WiFi and Ki ...)
 	{DLA-3596-1}
 	- firmware-nonfree 20240610-1 (bug #1051892)
-	[bookworm] - firmware-nonfree <no-dsa> (Non-free not supported)
+	[bookworm] - firmware-nonfree <ignored> (Minor issue; potentially revisit once upstream commits clarified/identified)
 	[bullseye] - firmware-nonfree <no-dsa> (Non-free not supported)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00766.html
 	NOTE: Fixed upstream in linux-firmware/20230804
@@ -179049,7 +179049,7 @@ CVE-2022-36406
 CVE-2022-36351 (Improper input validation in some Intel(R) PROSet/Wireless WiFi and Ki ...)
 	{DLA-3596-1}
 	- firmware-nonfree 20240610-1 (bug #1051892)
-	[bookworm] - firmware-nonfree <no-dsa> (Non-free not supported)
+	[bookworm] - firmware-nonfree <ignored> (Minor issue; potentially revisit once upstream commits clarified/identified)
 	[bullseye] - firmware-nonfree <no-dsa> (Non-free not supported)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00766.html
 	NOTE: Fixed upstream in linux-firmware/20230804
@@ -208909,7 +208909,7 @@ CVE-2022-1041 (In Zephyr bluetooth mesh core stack, an out-of-bound write vulner
 CVE-2022-27635 (Improper access control for some Intel(R) PROSet/Wireless WiFi and Kil ...)
 	{DLA-3596-1}
 	- firmware-nonfree 20240610-1 (bug #1051892)
-	[bookworm] - firmware-nonfree <no-dsa> (Non-free not supported)
+	[bookworm] - firmware-nonfree <ignored> (Minor issue; potentially revisit once upstream commits clarified/identified)
 	[bullseye] - firmware-nonfree <no-dsa> (Non-free not supported)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00766.html
 	NOTE: Fixed upstream in linux-firmware/20230804



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/360f515e44edab100ecd65aee6cbb06233a3e8dc

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/360f515e44edab100ecd65aee6cbb06233a3e8dc
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241030/c96845c1/attachment.htm>

More information about the debian-security-tracker-commits mailing list