Bug 1222387 (CVE-2024-26677)

Summary: VUL-0: CVE-2024-26677: kernel: rxrpc: Fix delayed ACKs to not set the reference serial number
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Denis Kirjanov <denis.kirjanov>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: denis.kirjanov, rfrohl, stoyan.manolov, vasant.karasulli
Version: unspecifiedFlags: stoyan.manolov: needinfo? (denis.kirjanov)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/399984/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-26677:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-04-05 13:39:08 UTC 
In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix delayed ACKs to not set the reference serial number

Fix the construction of delayed ACKs to not set the reference serial number
as they can't be used as an RTT reference.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26677
https://www.cve.org/CVERecord?id=CVE-2024-26677
https://git.kernel.org/stable/c/200cb50b9e154434470c8969d32474d38475acc2
https://git.kernel.org/stable/c/63719f490e6a89896e9a463d2b45e8203eab23ae
https://git.kernel.org/stable/c/e7870cf13d20f56bfc19f9c3e89707c69cf104ef
https://bugzilla.redhat.com/show_bug.cgi?id=2272834