github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-07-20 17:49:10 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #2165 from tych0/more-cve-writeups

Browse Source 
docs: add some more CVE writeups
This commit is contained in:
Riyaz Faizullabhoy 2017-07-07 11:06:10 -07:00 committed by GitHub
commit 1efc329ec4
1 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
docs/security-events.md
View File

@ -8,7 +8,7 @@ The incomplete list below is an assessment of some CVEs, and LinuxKit's resilien
* [CVE-2017-9075](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075):
Requires CONFIG_IP_SCTP=y, which we do not set.
* [CVE-2017-9076](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076):
Requires CONFIG_IP_DCCP=y, which we do not set. (However, we are vulnerable
Requires CONFIG_IP_DCCP=y, which we do not set. (However, we were vulnerable
to the ipv6 pieces that this patch fixes.)
* [CVE-2017-1000363](http://www.openwall.com/lists/oss-security/2017/05/23/16):
This CVE requires `CONFIG_PRINTER=y`, so we are not vulnerable.
@ -19,6 +19,17 @@ The incomplete list below is an assessment of some CVEs, and LinuxKit's resilien
* [CVE-2016-10229](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10229)
This CVE only applies to kernels `<= 4.5, <= 4.4.21`. By using recent kernels
(specifically, kernels `=> 4.9, >= 4.4.21`, LinuxKit mitigates this bug.
* [CVE-2017-9605](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9605):
Requires CONFIG_DRM_VMWGFX=y, which we do not set.
* [CVE-2017-1000380](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-1000380):
Requires CONFIG_SOUND=y, which we do not set.
* [CVE-2017-7518](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7518):
Requires the KVM backend (CONFIG_KVM=y), and we only have CONFIG_KVM_GUEST=y.
* [CVE-2017-10810](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10810)
Requires CONFIG_DRM_VIRTIO_GPU, which we do not set.
* [CVE-2017-10911](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10911)
aka XSA-216: we only have the XEN frontend, and do not set
CONFIG_XEN_BLKDEV_BACKEND.
### Bugs fixed:
@ -34,5 +45,8 @@ The incomplete list below is an assessment of some CVEs, and LinuxKit's resilien
Users have access to ipv6 sockets (note that part of this is mitigated as
well, so listed above: we do not set CONFIG_IP_DCCP), mitigated for kernels
`>= 4.9.31, >= 4.10.16, >= 4.11.2` now packaged by LinuxKit
* [CVE-2017-1000364](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000364):
[Qualys writeup](https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt).
Fixed in kernels `>= 4.9.35, >= 4.11.8`, now packaged by LinuxKit.
### Bugs outstanding: