From 4bf7bfff2d79daf761ee5447b07163704bb5e2e3 Mon Sep 17 00:00:00 2001 From: Tycho Andersen Date: Fri, 7 Jul 2017 09:52:26 -0600 Subject: [PATCH] docs: add some more CVE writeups Signed-off-by: Tycho Andersen --- docs/security-events.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/docs/security-events.md b/docs/security-events.md index 964866716..4faf4e069 100644 --- a/docs/security-events.md +++ b/docs/security-events.md @@ -8,7 +8,7 @@ The incomplete list below is an assessment of some CVEs, and LinuxKit's resilien * [CVE-2017-9075](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075): Requires CONFIG_IP_SCTP=y, which we do not set. * [CVE-2017-9076](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076): - Requires CONFIG_IP_DCCP=y, which we do not set. (However, we are vulnerable + Requires CONFIG_IP_DCCP=y, which we do not set. (However, we were vulnerable to the ipv6 pieces that this patch fixes.) * [CVE-2017-1000363](http://www.openwall.com/lists/oss-security/2017/05/23/16): This CVE requires `CONFIG_PRINTER=y`, so we are not vulnerable. @@ -19,6 +19,17 @@ The incomplete list below is an assessment of some CVEs, and LinuxKit's resilien * [CVE-2016-10229](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10229) This CVE only applies to kernels `<= 4.5, <= 4.4.21`. By using recent kernels (specifically, kernels `=> 4.9, >= 4.4.21`, LinuxKit mitigates this bug. +* [CVE-2017-9605](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9605): + Requires CONFIG_DRM_VMWGFX=y, which we do not set. +* [CVE-2017-1000380](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-1000380): + Requires CONFIG_SOUND=y, which we do not set. +* [CVE-2017-7518](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7518): + Requires the KVM backend (CONFIG_KVM=y), and we only have CONFIG_KVM_GUEST=y. +* [CVE-2017-10810](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10810) + Requires CONFIG_DRM_VIRTIO_GPU, which we do not set. +* [CVE-2017-10911](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10911) + aka XSA-216: we only have the XEN frontend, and do not set + CONFIG_XEN_BLKDEV_BACKEND. ### Bugs fixed: @@ -34,5 +45,8 @@ The incomplete list below is an assessment of some CVEs, and LinuxKit's resilien Users have access to ipv6 sockets (note that part of this is mitigated as well, so listed above: we do not set CONFIG_IP_DCCP), mitigated for kernels `>= 4.9.31, >= 4.10.16, >= 4.11.2` now packaged by LinuxKit +* [CVE-2017-1000364](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000364): + [Qualys writeup](https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt). + Fixed in kernels `>= 4.9.35, >= 4.11.8`, now packaged by LinuxKit. ### Bugs outstanding: