On Sat, Mar 01, 2025 at 02:15:43PM +0100, Salvatore Bonaccorso wrote: > > > Source: linux > > > Version: 6.1.128-1 > > > Severity: important > > > Tags: security > > > X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> > > > > > > I believe CVE-2024-45001 (RX buf alloc_size alignment and atomic op > > > panic) is miscategorized as not impacting bookworm. The issue is with > > > the net/ethernet/microsoft/mana driver and was introduced in linux 6.10, > > > which is likely why the security-tracker contains the note "Vulnerable > > > code not present" for bookworm. However, bookworm contains a backported > > > version of this driver from 6.10 in > > > debian/patches/features/all/ethernet-microsoft. [1] [2] > > > > > > The upstream fix applies on top of our patched 6.1 kernel with an > > > offset. [3] > > > > > > I didn't propose a fix to the security-tracker data because I don't know > > > the file format well enough. > > > > > > I can prepare a merge request to the kernel package if that would help. > > > > Thanks I will shortly have a look at that as I'm rebasing 6.1.y for > > bookworm for the next upload. > > Investigating this further I believe we have the same problem as well > for CVE-2024-42069.
Yes, that seems likely. noah
