I filed this bug to alert that these vulnerabilities were unpatched for 2 months. Some kernels in supported Ubuntu releases are still affected:
$ wget https://git.launchpad.net/ubuntu-cve-tracker/plain/active/CVE-2022-25258 $ grep -vE '^(upstream_[a-z0-9.-]+: |Patches_[a-z0-9.-]+:$| break-fix:|([a-z]+|trusty/esm|esm-infra/xenial)_[a-z0-9.-]+: (DNE$|released |not-affected($| )|ignored)|$)' CVE-2022-25258 bionic_linux-aws-5.4: pending (5.4.0-1073.78~18.04.1) focal_linux-bluefield: needed fips/xenial_linux-fips: needs-triage fips-updates/xenial_linux-fips: needs-triage fips/bionic_linux-fips: needs-triage fips-updates/bionic_linux-fips: needs-triage fips/focal_linux-fips: needs-triage fips-updates/focal_linux-fips: needs-triage bionic_linux-gke-5.4: pending (5.4.0-1069.72~18.04.1) bionic_linux-raspi2: pending (4.15.0-1109.116) impish_linux-riscv: pending (5.13.0-1021.23) focal_linux-oracle-5.13: pending (5.13.0-1028.33~20.04.1) Please release patched versions of linux-bluefield and linux-fips. ** Changed in: linux-aws (Ubuntu) Status: Confirmed => Fix Released ** Changed in: linux-aws-5.13 (Ubuntu) Status: Confirmed => Fix Released ** Changed in: linux-aws-5.4 (Ubuntu) Status: Confirmed => Fix Committed ** Changed in: linux-azure (Ubuntu) Status: Confirmed => Fix Released ** Changed in: linux-azure-4.15 (Ubuntu) Status: Confirmed => Fix Released ** Changed in: linux-azure-5.13 (Ubuntu) Status: Confirmed => Fix Released ** Changed in: linux-azure-5.4 (Ubuntu) Status: Confirmed => Fix Released ** Changed in: linux-dell300x (Ubuntu) Status: Confirmed => Fix Released ** Changed in: linux-gcp (Ubuntu) Status: Confirmed => Fix Released ** Changed in: linux-gcp-4.15 (Ubuntu) Status: Confirmed => Fix Released ** Changed in: linux-gcp-5.4 (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-aws in Ubuntu. https://bugs.launchpad.net/bugs/1971205 Title: CVE-2022-25258 and CVE-2022-25375 Status in linux-aws package in Ubuntu: Fix Released Status in linux-aws-5.13 package in Ubuntu: Fix Released Status in linux-aws-5.4 package in Ubuntu: Fix Committed Status in linux-azure package in Ubuntu: Fix Released Status in linux-azure-4.15 package in Ubuntu: Fix Released Status in linux-azure-5.13 package in Ubuntu: Fix Released Status in linux-azure-5.4 package in Ubuntu: Fix Released Status in linux-bluefield package in Ubuntu: Confirmed Status in linux-dell300x package in Ubuntu: Fix Released Status in linux-gcp package in Ubuntu: Fix Released Status in linux-gcp-4.15 package in Ubuntu: Fix Released Status in linux-gcp-5.13 package in Ubuntu: Confirmed Status in linux-gcp-5.4 package in Ubuntu: Fix Released Status in linux-gke package in Ubuntu: Confirmed Status in linux-gke-5.4 package in Ubuntu: Confirmed Status in linux-gkeop package in Ubuntu: Confirmed Status in linux-gkeop-5.4 package in Ubuntu: Confirmed Status in linux-hwe-5.13 package in Ubuntu: Confirmed Status in linux-hwe-5.4 package in Ubuntu: Confirmed Status in linux-ibm package in Ubuntu: Confirmed Status in linux-ibm-5.4 package in Ubuntu: Confirmed Status in linux-kvm package in Ubuntu: Confirmed Status in linux-oracle package in Ubuntu: Confirmed Status in linux-oracle-5.13 package in Ubuntu: Confirmed Status in linux-oracle-5.4 package in Ubuntu: Confirmed Status in linux-raspi package in Ubuntu: Confirmed Status in linux-raspi-5.4 package in Ubuntu: Confirmed Status in linux-raspi2 package in Ubuntu: Confirmed Status in linux-riscv package in Ubuntu: Confirmed Status in linux-snapdragon package in Ubuntu: Confirmed Bug description: These packages are vulnerable to CVE-2022-25258 and CVE-2022-25375 in at least one Ubuntu release, as stated in the Ubuntu CVE Tracker. Please release fixed packages. Debian released an advisory on March 7. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-aws/+bug/1971205/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
