6 comments

[ 13.5 ms ] story [ 148 ms ] thread
Can anyone comment on when this bug was first introduced?

Prior to 5.0.8 seems a little vague, or is my 2.4 box actually affected?

a more exhausting list of Kernels affected: https://www.securityfocus.com/bid/108283 (the link is in the article)
Thanks for the link - though I really couldn't find it in article. Doing a quick Ctrl+F on the source code doesn't show securityfocus being linked to at all.

Edit: HolyCarp: it looks like my ancient 2.4 kernel actually is vulnerable!

You are absolutely right they don't talk about it in the article. I got it from the NIST and I was thinking they talked about it but no.

Quite an impressive list of Kernel indeed.

This looks more like an automatically generated list of all releases "prior to 5.0.8". Since this vulnerability is apparently connected with net namespaces I doubt it goes all the way back to 2.0.

Edit: git blame shows this commit introducing the if statement that is touched by the patch linked by OP. It happened somewhere in the 4.2 branch. This doesn't mean that the problem was introduced exactly then, but it does show that it's relatively recent code.

https://github.com/torvalds/linux/commit/467fa15356acfb7b2ef...