Bug 1077343 (CVE-2014-2523)
| Summary: | CVE-2014-2523 kernel: netfilter: nf_conntrack_dccp: incorrect skb_header_pointer API usages | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Petr Matousek <pmatouse> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | agordeev, anton, aquini, bhu, carnil, ctrianta, davej, dhoward, edbrand, esammons, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, jkurik, jonathan, jross, jscalf, jwboyer, kernel-maint, kernel-mgr, lgoncalv, lwang, madhu.chinakonda, matt, mchehab, mcressma, mmilgram, npajkovs, pholasek, plougher, pmatouse, ppandit, rt-maint, rvrbovsk, shobbs, williams |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-03 07:15:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1077345, 1077346, 1077347, 1077349, 1077350, 1077351, 1083122, 1083123, 1083124 | ||
| Bug Blocks: | 1077357 | ||
|
Description
Petr Matousek
2014-03-17 19:17:27 UTC
Statement: This issue does not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5. Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1077350] kernel-3.13.7-200.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. kernel-3.13.7-100.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. Question on alternatives: Are there any workarounds/config changes that can be implemented to mitigate the risk such as the ones listeed in the followin link: https://odesk.by/archives/2107#more-2107 My concern is with RHEL 6 where no patch exists yet. (In reply to Ed Brand from comment #8) > Are there any workarounds/config changes that can be implemented to mitigate > the risk such as the ones listeed in the followin link: > > https://odesk.by/archives/2107#more-2107 > > My concern is with RHEL 6 where no patch exists yet. The link pretty much sums up the mitigation options. I'd recommend to prevent nf_conntrack_proto_dccp module from being loaded by adding "install nf_conntrack_proto_dccp /bin/true" to file "/etc/modprobe.d/blacklist.conf". Hope that helps. -- Petr Matousek / Red Hat Security Response Team This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2014:0439 https://rhn.redhat.com/errata/RHSA-2014-0439.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0475 https://rhn.redhat.com/errata/RHSA-2014-0475.html This issue has been addressed in following products: Red Hat Enterprise Linux 6.2 AUS Via RHSA-2014:0520 https://rhn.redhat.com/errata/RHSA-2014-0520.html This issue has been addressed in following products: Red Hat Enterprise Linux 6.3 EUS - Server and Compute Node Only Via RHSA-2014:0593 https://rhn.redhat.com/errata/RHSA-2014-0593.html This issue has been addressed in following products: Red Hat Enterprise Linux 6.4 EUS - Server and Compute Node Only Via RHSA-2014:0634 https://rhn.redhat.com/errata/RHSA-2014-0634.html |