CVE-2022-40982 on Ubuntu Mantic Linux Kernel still not fixed

Grant, could you please take a look on this report?

Thanks for the report and thanks for looping me in!

I think I was able to recreate this situation. The full output is
```
ubuntu@test:~$ pro fix CVE-2022-40982
CVE-2022-40982: Linux kernel (BlueField) vulnerabilities
 - https://ubuntu.com/security/CVE-2022-40982

2 affected source packages are installed: intel-microcode, linux
(1/2) linux:
A fix is coming soon. Try again tomorrow.
(2/2) intel-microcode:
A fix is available in Ubuntu standard updates.
The update is already installed.

1 package is still affected: linux
✘ CVE-2022-40982 is not resolved.
```
`linux` is the source package of the "generic" linux kernel. The output for `linux` is "A fix is coming soon. Try again tomorrow.", which agrees with the page: https://ubuntu.com/security/CVE-2022-40982 - if you scroll down to the entry for `linux`, the status for mantic is "Pending".

So I think everything is working as expected. Let me know if you disagree.

Thank you very much for looking into this! Please excuse, but may i ask:

Do i understand correctly, that the bug is about the situation that the CVE is already secured on the system, because the actual version of intel-microcode is updated - but it isn't shown on pro fix correctly, because of a kernel update needed?

Or is the vulnerability still active, because of the actual kernel "linux"?

Thank's for your work and have a great day.

My understanding based on looking at the security data we have (that is presented on the website), is that the vulnerability is not fully fixed until the kernel is patched in addition to intel-microcode.

Eduardo will know more than me about the specifics of this vulnerability though.

Thank you for your answer, Grant.

Should i change the title of this bug? Right now it is: "pro fix shows CVE-2022-40982 is not resolved although fixed version is installed" and i think that isn't precisely reflecting the situation, since two components seem to be needed to be fixed to deal with this vulnerability:

1. The Intel Microcode - Done
2. The Linux Kernel on Mantic - open

So a better description may be: "CVE-2022-40982 on Ubuntu Mantic Linux Kernel still not fixed"?

ty everybody and have a great day (-:

Status changed to 'Confirmed' because the bug affects multiple users.

The kernel mitigations for this vulnerability were provided back in August, when Mantic was still the development released. So, though the Mantic target kernel had not been in the release pocket yet, the fixes were there, so it was marked as pending for the development release. When Mantic got released, the status was not updated fast enough.

So thank you for bringing this up, this has been fixed in our CVE tracker and CVE web pages now.

Cascardo.

Hello Cascardo,

thank you and anybody involved for your work! I can confirm that on my end, with:

Linux pro 6.5.0-10-generic #10-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct 13 13:49:38 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux, mantic

and ubuntu-advantage-tools (30~23.10), an: pro fix CVE-2022-40982 generates:

CVE-2022-40982: Linux kernel (BlueField) vulnerabilities
 - https://ubuntu.com/security/CVE-2022-40982

1 affected source package is installed: intel-microcode
(1/1) intel-microcode:
A fix is available in Ubuntu standard updates.
The update is already installed.

✔ CVE-2022-40982 is resolved.

Interestingly, only the microcode-package is listed, not as before the microcode package and the "linux kernel".
But, the output is pretty satisfying.

Have a great weekend, and thanks for working on on of the best things this world has to offer: Linux/GNU