Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 17 Mar 2015 18:02:41 +0100
From: Peter Kjellström <cap@....liu.se>
To: oss-security@...ts.openwall.com
Subject: Incomplete data at nvd for CVE-2014-8159 (infiniband / verbs)

My first post and it may not even be the right place so sorry in
advance...

Not entirely sure what to expect from the nvd site for a CVE like this
(about 1 week old counting from redhats advisory) but information is at
best incomplete at:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8159

Here are a few problems with the info:

 * rhel6 / 2.6.32 is listed as impacted (but already the linked bz
   expands this to rhel5 and rhel7.
 * In fact this bug (as I understand it) is in all versions of the
   verbs kernel module except some point in 3.19.xxx and rhel6 updates.
   Affected list grows to:
    1) other distributions building kernel with infiniband/verbs enabled
    2) other distributions providing "external" infiniband/verbs modules
    3) other sources providing 3rd party infiniband/verbs modules
 * I know that Mellanox (found under 3 above) has released an update
   (MLNX_OFED 2.4-1) that fixes the issue, but this info is missing.
   https://community.mellanox.com/message/4401#4401

If this was not the correct place to contribute/fix information maybe
someone can point me in the correct direction.

/Peter K

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.