Bug 474495 (CVE-2008-5700)
Summary: | CVE-2008-5700 kernel: enforce a minimum SG_IO timeout | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Eugene Teo (Security Response) <eteo> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | unspecified | CC: | anton, bhu, dhoward, jpirko, lgoncalv, lwang, peterm, qcai, security-response-team, vgoyal, williams | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2010-12-24 03:50:12 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 475403, 475404, 475405, 475406, 475407 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Eugene Teo (Security Response)
2008-12-04 02:20:10 UTC
Consensus is to enforce a minimum 7 second timeout (which is the timeout windoze uses for general commands on ATA). You need to be able to open the cdrom device (i.e. login as a normal user from the console and then access it via ssh) or access to /dev/sg* which is root only in all sane systems. Upstream patch: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f2f1fa78a155524b849edf359e42a3001ea652c0 Created attachment 326257 [details]
Upstream patch
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2009:0331 http://rhn.redhat.com/errata/RHSA-2009:0331.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:0326 https://rhn.redhat.com/errata/RHSA-2009-0326.html This was also addressed via: MRG Realtime for RHEL 5 Server (RHSA-2009:0053) |