Date: Tue, 17 Mar 2015 18:02:41 +0100 From: Peter Kjellström <cap@....liu.se> To: oss-security@...ts.openwall.com Subject: Incomplete data at nvd for CVE-2014-8159 (infiniband / verbs) My first post and it may not even be the right place so sorry in advance... Not entirely sure what to expect from the nvd site for a CVE like this (about 1 week old counting from redhats advisory) but information is at best incomplete at: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8159 Here are a few problems with the info: * rhel6 / 2.6.32 is listed as impacted (but already the linked bz expands this to rhel5 and rhel7. * In fact this bug (as I understand it) is in all versions of the verbs kernel module except some point in 3.19.xxx and rhel6 updates. Affected list grows to: 1) other distributions building kernel with infiniband/verbs enabled 2) other distributions providing "external" infiniband/verbs modules 3) other sources providing 3rd party infiniband/verbs modules * I know that Mellanox (found under 3 above) has released an update (MLNX_OFED 2.4-1) that fixes the issue, but this info is missing. https://community.mellanox.com/message/4401#4401 If this was not the correct place to contribute/fix information maybe someone can point me in the correct direction. /Peter K
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.