github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-10-03 22:44:17 +00:00
Code Issues Projects Releases Wiki Activity
Files
f9da106c46a38e721c8ed26b66664a74e0f4e6dd
linuxkit/docs/security-events.md
Tycho Andersen 63d7e95467 docs: add some writeups of recent CVEs 
Signed-off-by: Tycho Andersen <tycho@docker.com>
2017-05-31 11:37:03 -06:00

1.8 KiB
Raw Blame History

LinuxKit Security Events

The incomplete list below is an assessment of some CVEs, and LinuxKit's resilience (or not) to them.

Bugs mitigated:

  • CVE-2017-9075: Requires CONFIG_IP_SCTP=y, which we do not set.
  • CVE-2017-9076: Requires CONFIG_IP_DCCP=y, which we do not set. (However, we are vulnerable to the ipv6 pieces that this patch fixes.)
  • CVE-2017-1000363: This CVE requires CONFIG_PRINTER=y, so we are not vulnerable.
  • CVE-2017-2636 (exploit post): This CVE requires CONFIG_N_HDLC={y|m}, which LinuxKit does not specify, and so is not vulnerable.
  • CVE-2016-10229 This CVE only applies to kernels <= 4.5, <= 4.4.21. By using recent kernels (specifically, kernels => 4.9, >= 4.4.21, LinuxKit mitigates this bug.

Bugs not mitigated:

Bugs outstanding:

  • CVE-2017-8890 All users can do accept(), so we are vulnerable.
  • CVE-2017-9077 Same as CVE-2017-8890, but for ipv6.
  • CVE-2017-9074: Users have access to ipv6 sockets, so we are vulnerable.
  • CVE-2017-9242: Same as CVE-2017-9074.
  • CVE-2017-9076: Users have access to ipv6 sockets (note that part of this is mitigated as well, so listed above: we do not set CONFIG_IP_DCCP).