diff --git a/docs/security-events.md b/docs/security-events.md index 964866716..4faf4e069 100644 --- a/docs/security-events.md +++ b/docs/security-events.md @@ -8,7 +8,7 @@ The incomplete list below is an assessment of some CVEs, and LinuxKit's resilien * [CVE-2017-9075](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075): Requires CONFIG_IP_SCTP=y, which we do not set. * [CVE-2017-9076](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076): - Requires CONFIG_IP_DCCP=y, which we do not set. (However, we are vulnerable + Requires CONFIG_IP_DCCP=y, which we do not set. (However, we were vulnerable to the ipv6 pieces that this patch fixes.) * [CVE-2017-1000363](http://www.openwall.com/lists/oss-security/2017/05/23/16): This CVE requires `CONFIG_PRINTER=y`, so we are not vulnerable. @@ -19,6 +19,17 @@ The incomplete list below is an assessment of some CVEs, and LinuxKit's resilien * [CVE-2016-10229](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10229) This CVE only applies to kernels `<= 4.5, <= 4.4.21`. By using recent kernels (specifically, kernels `=> 4.9, >= 4.4.21`, LinuxKit mitigates this bug. +* [CVE-2017-9605](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9605): + Requires CONFIG_DRM_VMWGFX=y, which we do not set. +* [CVE-2017-1000380](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-1000380): + Requires CONFIG_SOUND=y, which we do not set. +* [CVE-2017-7518](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7518): + Requires the KVM backend (CONFIG_KVM=y), and we only have CONFIG_KVM_GUEST=y. +* [CVE-2017-10810](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10810) + Requires CONFIG_DRM_VIRTIO_GPU, which we do not set. +* [CVE-2017-10911](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10911) + aka XSA-216: we only have the XEN frontend, and do not set + CONFIG_XEN_BLKDEV_BACKEND. ### Bugs fixed: @@ -34,5 +45,8 @@ The incomplete list below is an assessment of some CVEs, and LinuxKit's resilien Users have access to ipv6 sockets (note that part of this is mitigated as well, so listed above: we do not set CONFIG_IP_DCCP), mitigated for kernels `>= 4.9.31, >= 4.10.16, >= 4.11.2` now packaged by LinuxKit +* [CVE-2017-1000364](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000364): + [Qualys writeup](https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt). + Fixed in kernels `>= 4.9.35, >= 4.11.8`, now packaged by LinuxKit. ### Bugs outstanding: