Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 17 Mar 2015 18:02:41 +0100
From: Peter Kjellström <cap@....liu.se>
To: oss-security@...ts.openwall.com
Subject: Incomplete data at nvd for CVE-2014-8159 (infiniband / verbs)

My first post and it may not even be the right place so sorry in
advance...

Not entirely sure what to expect from the nvd site for a CVE like this
(about 1 week old counting from redhats advisory) but information is at
best incomplete at:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8159

Here are a few problems with the info:

 * rhel6 / 2.6.32 is listed as impacted (but already the linked bz
   expands this to rhel5 and rhel7.
 * In fact this bug (as I understand it) is in all versions of the
   verbs kernel module except some point in 3.19.xxx and rhel6 updates.
   Affected list grows to:
    1) other distributions building kernel with infiniband/verbs enabled
    2) other distributions providing "external" infiniband/verbs modules
    3) other sources providing 3rd party infiniband/verbs modules
 * I know that Mellanox (found under 3 above) has released an update
   (MLNX_OFED 2.4-1) that fixes the issue, but this info is missing.
   https://community.mellanox.com/message/4401#4401

If this was not the correct place to contribute/fix information maybe
someone can point me in the correct direction.

/Peter K

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ