github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-11-04 03:59:14 +00:00
Code Issues Projects Releases Wiki Activity
Files
d573e37fec1e1256b5abe4bc68b40de1508a1b13
linuxkit/docs/security-events.md
Riyaz Faizullabhoy 69b89869ea update security events with new kernels 
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2017-06-12 14:52:33 -07:00

39 lines
2.0 KiB
Markdown
Raw Blame History

# LinuxKit Security Events
The incomplete list below is an assessment of some CVEs, and LinuxKit's resilience
(or not) to them.
### Bugs mitigated:
* [CVE-2017-9075](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075):
Requires CONFIG_IP_SCTP=y, which we do not set.
* [CVE-2017-9076](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076):
Requires CONFIG_IP_DCCP=y, which we do not set. (However, we are vulnerable
to the ipv6 pieces that this patch fixes.)
* [CVE-2017-1000363](http://www.openwall.com/lists/oss-security/2017/05/23/16):
This CVE requires `CONFIG_PRINTER=y`, so we are not vulnerable.
* [CVE-2017-2636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2636)
([exploit post](https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html)):
This CVE requires `CONFIG_N_HDLC={y|m}`, which LinuxKit does not specify, and so
is not vulnerable.
* [CVE-2016-10229](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10229)
This CVE only applies to kernels `<= 4.5, <= 4.4.21`. By using recent kernels
(specifically, kernels `=> 4.9, >= 4.4.21`, LinuxKit mitigates this bug.
### Bugs fixed:
* [CVE-2017-8890](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890)
All users can do `accept()`, mitigated for kernels `>= 4.9.31, >= 4.10.16, >= 4.11.2` now packaged by LinuxKit
* [CVE-2017-9077](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077)
Same as CVE-2017-8890, but for ipv6.
* [CVE-2017-9074](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9074):
Users have access to ipv6 sockets, mitigated for kernels `>= 4.9.31, >= 4.10.16, >= 4.11.2` now packaged by LinuxKit
* [CVE-2017-9242](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9242):
Same as CVE-2017-9074.
* [CVE-2017-9076](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076):
Users have access to ipv6 sockets (note that part of this is mitigated as
well, so listed above: we do not set CONFIG_IP_DCCP), mitigated for kernels
`>= 4.9.31, >= 4.10.16, >= 4.11.2` now packaged by LinuxKit
### Bugs outstanding:
Reference in New Issue View Git Blame Copy Permalink