![]() |
|
Date: Mon, 24 Oct 2011 17:16:32 +0800 From: Eugene Teo <eugene@...hat.com> To: oss-security@...ts.openwall.com CC: "Steven M. Christey" <coley@...us.mitre.org> Subject: kernel; CVE-2011-2942 and CVE-2011-3209 CVE-2011-2942; In the br_forward_finish() function, we may call kfree() on the skb we are forwarding, and so, after it, we should not dereference skb->dev pointer. With the fix, we save skb->dev before calling the br_forward_finish() function, so that we can use it afterwards. It's a regression from a commit that we have backported to our kernels. It doesn't affect the upstream kernel as the code was rewritten. https://bugzilla.redhat.com/CVE-2011-2942 https://www.redhat.com/security/data/cve/CVE-2011-2942.html CVE-2011-3209; divide error issue in the clock implementation. http://git.kernel.org/linus/f8bd2258e2d520dff28c855658bd24bdafb5102d https://bugzilla.redhat.com/CVE-2011-3209 https://www.redhat.com/security/data/cve/CVE-2011-3209.html Thanks, Eugene -- Eugene Teo / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.