Ubuntu
linux-azure-5.13 package

CVE-2022-25258 and CVE-2022-25375

Bug #1971205 reported by Luís Infante da Câmara
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux-aws (Ubuntu)
Fix Released
Undecided
Unassigned
linux-aws-5.13 (Ubuntu)
Fix Released
Undecided
Unassigned
linux-aws-5.4 (Ubuntu)
Fix Released
Undecided
Unassigned
linux-azure (Ubuntu)
Fix Released
Undecided
Unassigned
linux-azure-4.15 (Ubuntu)
Fix Released
Undecided
Unassigned
linux-azure-5.13 (Ubuntu)
Fix Released
Undecided
Unassigned
linux-azure-5.4 (Ubuntu)
Fix Released
Undecided
Unassigned
linux-bluefield (Ubuntu)
Fix Released
Undecided
Unassigned
linux-dell300x (Ubuntu)
Fix Released
Undecided
Unassigned
linux-gcp (Ubuntu)
Fix Released
Undecided
Unassigned
linux-gcp-4.15 (Ubuntu)
Fix Released
Undecided
Unassigned
linux-gcp-5.13 (Ubuntu)
Fix Released
Undecided
Unassigned
linux-gcp-5.4 (Ubuntu)
Fix Released
Undecided
Unassigned
linux-gke (Ubuntu)
Fix Released
Undecided
Unassigned
linux-gke-5.4 (Ubuntu)
Fix Released
Undecided
Unassigned
linux-gkeop (Ubuntu)
Fix Released
Undecided
Unassigned
linux-gkeop-5.4 (Ubuntu)
Fix Released
Undecided
Unassigned
linux-hwe-5.13 (Ubuntu)
Fix Released
Undecided
Unassigned
linux-hwe-5.4 (Ubuntu)
Fix Released
Undecided
Unassigned
linux-ibm (Ubuntu)
Fix Released
Undecided
Unassigned
linux-ibm-5.4 (Ubuntu)
Fix Released
Undecided
Unassigned
linux-kvm (Ubuntu)
Fix Released
Undecided
Unassigned
linux-oracle (Ubuntu)
Fix Released
Undecided
Unassigned
linux-oracle-5.13 (Ubuntu)
Fix Released
Undecided
Unassigned
linux-oracle-5.4 (Ubuntu)
Fix Released
Undecided
Unassigned
linux-raspi (Ubuntu)
Fix Released
Undecided
Unassigned
linux-raspi-5.4 (Ubuntu)
Fix Released
Undecided
Unassigned
linux-raspi2 (Ubuntu)
Fix Released
Undecided
Unassigned
linux-riscv (Ubuntu)
Fix Released
Undecided
Unassigned
linux-snapdragon (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

These packages are vulnerable to CVE-2022-25258 and CVE-2022-25375 in at least one Ubuntu release, as stated in the Ubuntu CVE Tracker.

Please release fixed packages.

Debian released an advisory on March 7.

See original description

CVE References

Luís Infante da Câmara (luis220413)
description: updated
Luís Infante da Câmara (luis220413)
description: updated
summary: - CVE-2022-25258
+ CVE-2022-25258 and CVE-2022-25375
information type: Private Security → Public Security
Luís Infante da Câmara (luis220413)
no longer affects: linux-azure-fde (Ubuntu)
Marc Deslauriers (mdeslaur)
Changed in linux-aws (Ubuntu):
status: New → Confirmed
Changed in linux-aws-5.13 (Ubuntu):
status: New → Confirmed
Changed in linux-aws-5.4 (Ubuntu):
status: New → Confirmed
Changed in linux-azure (Ubuntu):
status: New → Confirmed
Changed in linux-azure-4.15 (Ubuntu):
status: New → Confirmed
Changed in linux-azure-5.13 (Ubuntu):
status: New → Confirmed
Changed in linux-azure-5.4 (Ubuntu):
status: New → Confirmed
Changed in linux-bluefield (Ubuntu):
status: New → Confirmed
Changed in linux-dell300x (Ubuntu):
status: New → Confirmed
Changed in linux-gcp (Ubuntu):
status: New → Confirmed
Changed in linux-gcp-4.15 (Ubuntu):
status: New → Confirmed
Changed in linux-gcp-5.13 (Ubuntu):
status: New → Confirmed
Changed in linux-gcp-5.4 (Ubuntu):
status: New → Confirmed
Changed in linux-gke (Ubuntu):
status: New → Confirmed
Changed in linux-gke-5.4 (Ubuntu):
status: New → Confirmed
Changed in linux-gkeop (Ubuntu):
status: New → Confirmed
Changed in linux-gkeop-5.4 (Ubuntu):
status: New → Confirmed
Changed in linux-hwe-5.13 (Ubuntu):
status: New → Confirmed
Changed in linux-hwe-5.4 (Ubuntu):
status: New → Confirmed
Changed in linux-ibm (Ubuntu):
status: New → Confirmed
Changed in linux-ibm-5.4 (Ubuntu):
status: New → Confirmed
Changed in linux-kvm (Ubuntu):
status: New → Confirmed
Changed in linux-oracle (Ubuntu):
status: New → Confirmed
Changed in linux-oracle-5.13 (Ubuntu):
status: New → Confirmed
Changed in linux-oracle-5.4 (Ubuntu):
status: New → Confirmed
Changed in linux-raspi (Ubuntu):
status: New → Confirmed
Changed in linux-raspi-5.4 (Ubuntu):
status: New → Confirmed
Changed in linux-raspi2 (Ubuntu):
status: New → Confirmed
Changed in linux-riscv (Ubuntu):
status: New → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The security team doesn't track security updates using launchpad bugs. The CVE tracker is where security updates are tracked:

https://ubuntu.com/security/cves

You can follow the progress on those CVEs here:

https://ubuntu.com/security/cve-2022-25258
https://ubuntu.com/security/cve-2022-25375

Changed in linux-snapdragon (Ubuntu):
status: New → Confirmed
Luís Infante da Câmara (luis220413)
Changed in linux-aws (Ubuntu):
status: Confirmed → Fix Released
Changed in linux-aws-5.13 (Ubuntu):
status: Confirmed → Fix Released
Changed in linux-aws-5.4 (Ubuntu):
status: Confirmed → Fix Committed
Changed in linux-azure (Ubuntu):
status: Confirmed → Fix Released
Changed in linux-azure-4.15 (Ubuntu):
status: Confirmed → Fix Released
Changed in linux-azure-5.13 (Ubuntu):
status: Confirmed → Fix Released
Changed in linux-azure-5.4 (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

I filed this bug to alert that these vulnerabilities were unpatched for 2 months. Some kernels in supported Ubuntu releases are still affected:

$ wget https://git.launchpad.net/ubuntu-cve-tracker/plain/active/CVE-2022-25258
$ grep -vE '^(upstream_[a-z0-9.-]+: |Patches_[a-z0-9.-]+:$| break-fix:|([a-z]+|trusty/esm|esm-infra/xenial)_[a-z0-9.-]+: (DNE$|released |not-affected($| )|ignored)|$)' CVE-2022-25258

bionic_linux-aws-5.4: pending (5.4.0-1073.78~18.04.1)
focal_linux-bluefield: needed
fips/xenial_linux-fips: needs-triage
fips-updates/xenial_linux-fips: needs-triage
fips/bionic_linux-fips: needs-triage
fips-updates/bionic_linux-fips: needs-triage
fips/focal_linux-fips: needs-triage
fips-updates/focal_linux-fips: needs-triage
bionic_linux-gke-5.4: pending (5.4.0-1069.72~18.04.1)
bionic_linux-raspi2: pending (4.15.0-1109.116)
impish_linux-riscv: pending (5.13.0-1021.23)
focal_linux-oracle-5.13: pending (5.13.0-1028.33~20.04.1)

Please release patched versions of linux-bluefield and linux-fips.

Changed in linux-dell300x (Ubuntu):
status: Confirmed → Fix Released
Changed in linux-gcp (Ubuntu):
status: Confirmed → Fix Released
Changed in linux-gcp-4.15 (Ubuntu):
status: Confirmed → Fix Released
Luís Infante da Câmara (luis220413)
Changed in linux-gcp-5.4 (Ubuntu):
status: Confirmed → Fix Released
Luís Infante da Câmara (luis220413)
Changed in linux-gcp-5.13 (Ubuntu):
status: Confirmed → Fix Released
Changed in linux-gke (Ubuntu):
status: Confirmed → Fix Released
Changed in linux-gke-5.4 (Ubuntu):
status: Confirmed → Fix Committed
Changed in linux-gkeop (Ubuntu):
status: Confirmed → Fix Released
Luís Infante da Câmara (luis220413)
Changed in linux-gkeop-5.4 (Ubuntu):
status: Confirmed → Fix Released
Changed in linux-hwe-5.13 (Ubuntu):
status: Confirmed → Fix Released
Luís Infante da Câmara (luis220413)
Changed in linux-hwe-5.4 (Ubuntu):
status: Confirmed → Fix Released
Changed in linux-ibm (Ubuntu):
status: Confirmed → Fix Released
Changed in linux-ibm-5.4 (Ubuntu):
status: Confirmed → Fix Released
Changed in linux-kvm (Ubuntu):
status: Confirmed → Fix Released
Changed in linux-oracle (Ubuntu):
status: Confirmed → Fix Released
Changed in linux-oracle-5.13 (Ubuntu):
status: Confirmed → Fix Committed
Luís Infante da Câmara (luis220413)
Changed in linux-oracle-5.4 (Ubuntu):
status: Confirmed → Fix Released
Changed in linux-raspi (Ubuntu):
status: Confirmed → Fix Released
Changed in linux-raspi-5.4 (Ubuntu):
status: Confirmed → Fix Released
Changed in linux-raspi2 (Ubuntu):
status: Confirmed → Fix Committed
Luís Infante da Câmara (luis220413)
Changed in linux-riscv (Ubuntu):
status: Confirmed → Fix Committed
Changed in linux-snapdragon (Ubuntu):
status: Confirmed → Fix Released
Luís Infante da Câmara (luis220413)
Changed in linux-riscv (Ubuntu):
status: Fix Committed → Fix Released
Luís Infante da Câmara (luis220413)
Changed in linux-raspi2 (Ubuntu):
status: Fix Committed → Fix Released
Luís Infante da Câmara (luis220413)
Changed in linux-aws-5.4 (Ubuntu):
status: Fix Committed → Fix Released
Luís Infante da Câmara (luis220413)
Changed in linux-gke-5.4 (Ubuntu):
status: Fix Committed → Fix Released
Changed in linux-oracle-5.13 (Ubuntu):
status: Fix Committed → Fix Released
Luís Infante da Câmara (luis220413)
Changed in linux-bluefield (Ubuntu):
status: Confirmed → Fix Committed
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

Fixed in linux-bluefield 5.4.0-1040.44.

Changed in linux-bluefield (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.