Details at URL. The table "CVE IDs Addressed in Each Linux Driver Branch" only lists CVE-2022-31607, CVE-2022-31608, and CVE-2022-31615 as addressed. Did they only address a subset of the CVEs they've assigned? Looks like at least some fixes are in 390.154, 470.141.03, 510.85.02, and 515.65.01. Tree seems good, if all of the CVEs are addressed.
They're listed as fixed in the vGPU software table lower down with associated driver versions. It's possible the fix is "in the drivers" but happened only when using virtual gpus in VMs. We don't package vGPU software, but guess no guarantee we're not affected if it's drivers. Doesn't mention 390 but 390 is unusable for this afaik (on that note, next time there's vulnerabilities odds are 390 will be masked w/ security notice given nvidia won't report about 390.xx anymore in 2023 with the end of support -- eventually will be due for removal when it start causing more issues).
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=e0200868c5e75eb57e7355dc8786db0f79271aa3 commit e0200868c5e75eb57e7355dc8786db0f79271aa3 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-10-03 12:45:00 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-10-03 12:47:03 +0000 [ GLSA 202310-02 ] NVIDIA Drivers: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/764512 Bug: https://bugs.gentoo.org/784596 Bug: https://bugs.gentoo.org/803389 Bug: https://bugs.gentoo.org/832867 Bug: https://bugs.gentoo.org/845063 Bug: https://bugs.gentoo.org/866527 Bug: https://bugs.gentoo.org/881341 Bug: https://bugs.gentoo.org/884045 Bug: https://bugs.gentoo.org/903614 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202310-02.xml | 131 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 131 insertions(+)
