[kernel-sec-discuss] r5099 - active retired

Ben Hutchings benh at moszumanska.debian.org
Tue Mar 21 00:44:17 UTC 2017 

Author: benh
Date: 2017-03-21 00:44:17 +0000 (Tue, 21 Mar 2017)
New Revision: 5099

Added:
   active/CVE-2017-5970
Removed:
   retired/CVE-2017-5970
Log:
Re-activate CVE-2017-5970 as it does affect 3.2

Copied: active/CVE-2017-5970 (from rev 5098, retired/CVE-2017-5970)
===================================================================
--- active/CVE-2017-5970	                        (rev 0)
+++ active/CVE-2017-5970	2017-03-21 00:44:17 UTC (rev 5099)
@@ -0,0 +1,15 @@
+Description: ipv4: Invalid IP options could cause skb->dst drop
+References:
+ http://seclists.org/oss-sec/2017/q1/414
+ https://patchwork.ozlabs.org/patch/724136/
+Notes:
+ bwh> This was actually introduced in 2.6.35 by commit f84af32cbca70
+ bwh> ("net: ip_queue_rcv_skb() helper").
+Bugs:
+upstream: released (4.10-rc8) [34b2cef20f19c87999fff3da4071e66937db9644]
+4.9-upstream-stable: released (4.9.11) [f5b54446630a973e1f27b68599366bbd0ac53066]
+3.16-upstream-stable: released (3.16.41) [ipv4-keep-skb-dst-around-in-presence-of-ip-options.patch]
+3.2-upstream-stable: needed
+sid: released (4.9.10-1) [bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch]
+3.16-jessie-security: released (3.16.39-1+deb8u1) [bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-ip-options.patch]
+3.2-wheezy-security: needed

Deleted: retired/CVE-2017-5970
===================================================================
--- retired/CVE-2017-5970	2017-03-20 19:46:34 UTC (rev 5098)
+++ retired/CVE-2017-5970	2017-03-21 00:44:17 UTC (rev 5099)
@@ -1,13 +0,0 @@
-Description: ipv4: Invalid IP options could cause skb->dst drop
-References:
- http://seclists.org/oss-sec/2017/q1/414
- https://patchwork.ozlabs.org/patch/724136/
-Notes:
-Bugs:
-upstream: released (4.10-rc8) [34b2cef20f19c87999fff3da4071e66937db9644]
-4.9-upstream-stable: released (4.9.11) [f5b54446630a973e1f27b68599366bbd0ac53066]
-3.16-upstream-stable: released (3.16.41) [ipv4-keep-skb-dst-around-in-presence-of-ip-options.patch]
-3.2-upstream-stable: N/A "Vulnerable code introduced in 3.3-rc1 with d826eb14ecef3574b6b3be55e5f4329f4a76fbf3"
-sid: released (4.9.10-1) [bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch]
-3.16-jessie-security: released (3.16.39-1+deb8u1) [bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-ip-options.patch]
-3.2-wheezy-security: N/A "Vulnerable code not present"

More information about the kernel-sec-discuss mailing list