Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 25 Mar 2013 12:17:26 +0100
From: Moritz Muehlenhoff <jmm@...ian.org>
To: oss-security@...ts.openwall.com
Cc: kseifried@...hat.com, Mathias Krause <minipli@...glemail.com>
Subject: Re: Linux kernel: net - three info leaks in rtnl

On Mon, Mar 25, 2013 at 12:15:38PM +0100, Moritz Muehlenhoff wrote:
> Hi,
> 
> > On 03/19/2013 03:15 PM, Mathias Krause wrote:
> > > I fixed a few more info leaks in linux v3.9-rc3. Unprivileged
> > > users can use the netlink interface to exploit the following issues
> > > to disclose kernel stack memory:
> > > 
> > > 29cd8ae dcbnl: fix various netlink info leaks 
> > > http://git.kernel.org/linus/29cd8ae0e1a39e239a3a7b67da1986add1199fc0
> > >
> > >  84d73cd rtnl: fix info leak on RTM_GETLINK request for VF devices 
> > > http://git.kernel.org/linus/84d73cd3fb142bf1298a8c13fd4ca50fd2432372
> > >
> > >  c085c49 bridge: fix mdb info leaks 
> > > http://git.kernel.org/linus/c085c49920b2f900ba716b4ca1c1a55ece9872cc
> > >
> > >  David Miller did backports for the above issues which are
> > > currently under review and should end up in the next stable and
> > > longterm kernels.
> > > 
> > > Regards, Mathias
> > 
> > CVE Merge - same researcher/vuln/version. Please use CVE-2013-1873 for
> > these issues.
> 
> These appeared in the CVE updates under different IDs now:
> 
> 29cd8ae: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2634
> 84d73cd: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2635
> c085c49: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2636
> 
> Which shall we use?

Ah, I just noticed that 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1873 has already
been marked as rejected.

Cheers,
        Moritz

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ