mirror of
				https://github.com/linuxkit/linuxkit.git
				synced 2025-10-26 03:53:43 +00:00 
			
		
		
		
	
		
			
				
	
	
	
		
			3.0 KiB
		
	
	
	
	
	
	
	
			
		
		
	
	
			3.0 KiB
		
	
	
	
	
	
	
	
LinuxKit Security Events
The incomplete list below is an assessment of some CVEs, and LinuxKit's resilience (or not) to them.
Bugs mitigated:
- CVE-2017-9075: Requires CONFIG_IP_SCTP=y, which we do not set.
- CVE-2017-9076: Requires CONFIG_IP_DCCP=y, which we do not set. (However, we were vulnerable to the ipv6 pieces that this patch fixes.)
- CVE-2017-1000363:
This CVE requires CONFIG_PRINTER=y, so we are not vulnerable.
- CVE-2017-2636
(exploit post):
This CVE requires CONFIG_N_HDLC={y|m}, which LinuxKit does not specify, and so is not vulnerable.
- CVE-2016-10229
This CVE only applies to kernels <= 4.5, <= 4.4.21. By using recent kernels (specifically, kernels=> 4.9, >= 4.4.21, LinuxKit mitigates this bug.
- CVE-2017-9605: Requires CONFIG_DRM_VMWGFX=y, which we do not set.
- CVE-2017-1000380: Requires CONFIG_SOUND=y, which we do not set.
- CVE-2017-7518: Requires the KVM backend (CONFIG_KVM=y), and we only have CONFIG_KVM_GUEST=y.
- CVE-2017-10810 Requires CONFIG_DRM_VIRTIO_GPU, which we do not set.
- CVE-2017-10911 aka XSA-216: we only have the XEN frontend, and do not set CONFIG_XEN_BLKDEV_BACKEND.
Bugs fixed:
- CVE-2017-8890
All users can do accept(), mitigated for kernels>= 4.9.31, >= 4.10.16, >= 4.11.2now packaged by LinuxKit
- CVE-2017-9077 Same as CVE-2017-8890, but for ipv6.
- CVE-2017-9074:
Users have access to ipv6 sockets, mitigated for kernels >= 4.9.31, >= 4.10.16, >= 4.11.2now packaged by LinuxKit
- CVE-2017-9242: Same as CVE-2017-9074.
- CVE-2017-9076:
Users have access to ipv6 sockets (note that part of this is mitigated as
well, so listed above: we do not set CONFIG_IP_DCCP), mitigated for kernels
>= 4.9.31, >= 4.10.16, >= 4.11.2now packaged by LinuxKit
- CVE-2017-1000364:
Qualys writeup.
Fixed in kernels >= 4.9.35, >= 4.11.8, now packaged by LinuxKit.