github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-07-19 09:16:29 +00:00
Code Issues Projects Releases Wiki Activity

docs: add some more CVE writeups

Browse Source 
Signed-off-by: Tycho Andersen <tycho@docker.com>
This commit is contained in:
Tycho Andersen 2017-07-07 09:52:26 -06:00
parent 76509e34a2
commit 4bf7bfff2d
1 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
docs/security-events.md
View File

@ -8,7 +8,7 @@ The incomplete list below is an assessment of some CVEs, and LinuxKit's resilien
* [CVE-2017-9075](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075):
Requires CONFIG_IP_SCTP=y, which we do not set.
* [CVE-2017-9076](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076):
Requires CONFIG_IP_DCCP=y, which we do not set. (However, we are vulnerable
Requires CONFIG_IP_DCCP=y, which we do not set. (However, we were vulnerable
to the ipv6 pieces that this patch fixes.)
* [CVE-2017-1000363](http://www.openwall.com/lists/oss-security/2017/05/23/16):
This CVE requires `CONFIG_PRINTER=y`, so we are not vulnerable.
@ -19,6 +19,17 @@ The incomplete list below is an assessment of some CVEs, and LinuxKit's resilien
* [CVE-2016-10229](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10229)
This CVE only applies to kernels `<= 4.5, <= 4.4.21`. By using recent kernels
(specifically, kernels `=> 4.9, >= 4.4.21`, LinuxKit mitigates this bug.
* [CVE-2017-9605](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9605):
Requires CONFIG_DRM_VMWGFX=y, which we do not set.
* [CVE-2017-1000380](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-1000380):
Requires CONFIG_SOUND=y, which we do not set.
* [CVE-2017-7518](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7518):
Requires the KVM backend (CONFIG_KVM=y), and we only have CONFIG_KVM_GUEST=y.
* [CVE-2017-10810](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10810)
Requires CONFIG_DRM_VIRTIO_GPU, which we do not set.
* [CVE-2017-10911](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10911)
aka XSA-216: we only have the XEN frontend, and do not set
CONFIG_XEN_BLKDEV_BACKEND.
### Bugs fixed:
@ -34,5 +45,8 @@ The incomplete list below is an assessment of some CVEs, and LinuxKit's resilien
Users have access to ipv6 sockets (note that part of this is mitigated as
well, so listed above: we do not set CONFIG_IP_DCCP), mitigated for kernels
`>= 4.9.31, >= 4.10.16, >= 4.11.2` now packaged by LinuxKit
* [CVE-2017-1000364](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000364):
[Qualys writeup](https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt).
Fixed in kernels `>= 4.9.35, >= 4.11.8`, now packaged by LinuxKit.
### Bugs outstanding: