From 63d7e95467a720aaea27efd2d14e8d75f11d879b Mon Sep 17 00:00:00 2001 From: Tycho Andersen Date: Tue, 30 May 2017 14:33:54 -0600 Subject: [PATCH] docs: add some writeups of recent CVEs Signed-off-by: Tycho Andersen --- docs/security-events.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/docs/security-events.md b/docs/security-events.md index a9989988c..cabc3365a 100644 --- a/docs/security-events.md +++ b/docs/security-events.md @@ -5,6 +5,11 @@ The incomplete list below is an assessment of some CVEs, and LinuxKit's resilien ### Bugs mitigated: +* [CVE-2017-9075](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075): + Requires CONFIG_IP_SCTP=y, which we do not set. +* [CVE-2017-9076](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076): + Requires CONFIG_IP_DCCP=y, which we do not set. (However, we are vulnerable + to the ipv6 pieces that this patch fixes.) * [CVE-2017-1000363](http://www.openwall.com/lists/oss-security/2017/05/23/16): This CVE requires `CONFIG_PRINTER=y`, so we are not vulnerable. * [CVE-2017-2636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2636) @@ -16,3 +21,18 @@ The incomplete list below is an assessment of some CVEs, and LinuxKit's resilien (specifically, kernels `=> 4.9, >= 4.4.21`, LinuxKit mitigates this bug. ### Bugs not mitigated: + + +### Bugs outstanding: + +* [CVE-2017-8890](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890) + All users can do `accept()`, so we are vulnerable. +* [CVE-2017-9077](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077) + Same as CVE-2017-8890, but for ipv6. +* [CVE-2017-9074](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9074): + Users have access to ipv6 sockets, so we are vulnerable. +* [CVE-2017-9242](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9242): + Same as CVE-2017-9074. +* [CVE-2017-9076](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076): + Users have access to ipv6 sockets (note that part of this is mitigated as + well, so listed above: we do not set CONFIG_IP_DCCP).