Hi Noah, On Tue, Apr 22, 2025 at 01:49:39PM -0400, Noah Meyerhans wrote: > My employer is interested in seeing cifs-utils CVE-2025-2312 > (cifs.upcall program from the cifs-utils package makes an upcall to the > wrong namespace in containerized environments) fixed in bookworm. [1] > According to the tracker, the fix depends on a kernel change in addition > to the cifs-utils userspace fix [2, 3]. > > The kernel change doesn't appear to have been backported to any of the > kernel.org LTS trees, so I've suggested that the people responsible for > implementation of that change should also work to backport it there. > Without this, it seems that even trixie will be vulnerable. > > I don't believe that this issue warrants a DSA, or that it should be > considered RC for trixie. If we publish a fix, it should be by way of a > point release containing a kernel that includes the upstream change and > an updated cifs-utils package. Do the maintainers involved agree?
Speaking for the security-team, right the issue does not warrant a DSA on its own, it might be addressed in a point release (and have it already prepared in the occurence of using a kernel with the kernel side fix). I cannot speak though for the cifs-utils maintainers. > > In the event that upstream is unwilling to apply this change to the > kernel LTS trees, would the kernel team consider carrying it as a local > patch? Speaking for the kernel-team: No, if we want that change in stable and for the 6.1.y kernel then it should be accepted upstream in the 6.1.y series. As alternative your employer might use backports kernel? Regards, Salvatore
