Date: Tue, 17 Mar 2015 18:02:41 +0100 From: Peter Kjellström <cap@....liu.se> To: oss-security@...ts.openwall.com Subject: Incomplete data at nvd for CVE-2014-8159 (infiniband / verbs) My first post and it may not even be the right place so sorry in advance... Not entirely sure what to expect from the nvd site for a CVE like this (about 1 week old counting from redhats advisory) but information is at best incomplete at: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8159 Here are a few problems with the info: * rhel6 / 2.6.32 is listed as impacted (but already the linked bz expands this to rhel5 and rhel7. * In fact this bug (as I understand it) is in all versions of the verbs kernel module except some point in 3.19.xxx and rhel6 updates. Affected list grows to: 1) other distributions building kernel with infiniband/verbs enabled 2) other distributions providing "external" infiniband/verbs modules 3) other sources providing 3rd party infiniband/verbs modules * I know that Mellanox (found under 3 above) has released an update (MLNX_OFED 2.4-1) that fixes the issue, but this info is missing. https://community.mellanox.com/message/4401#4401 If this was not the correct place to contribute/fix information maybe someone can point me in the correct direction. /Peter K
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ