[Secure-testing-commits] r13606 - data/CVE

Michael Gilbert gilbert-guest at alioth.debian.org
Sat Dec 19 21:20:09 UTC 2009 

Author: gilbert-guest
Date: 2009-12-19 21:20:09 +0000 (Sat, 19 Dec 2009)
New Revision: 13606

Modified:
   data/CVE/list
Log:
info on some old kernel issues

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2009-12-19 21:14:16 UTC (rev 13605)
+++ data/CVE/list	2009-12-19 21:20:09 UTC (rev 13606)
@@ -17645,11 +17645,12 @@
 	NOTE: just a crasher, no security implications known so far
 	NOTE: http://sam.zoy.org/blog/2007-01-16-exposing-file-parsing-vulnerabilities
 CVE-2008-4609 (The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, ...)
-	- linux-2.6 <unfixed> (low)
-	[etch] - linux-2.6 <no-dsa> (no upstream fix available)
-	[lenny] - linux-2.6 <no-dsa> (no upstream fix available)
-	- linux-2.6.24 <removed> (low)
-	NOTE: lots of speculation, nothing very definitive (but fixed recently my microsoft)
+	- linux-2.6 <unfixed> (unimportant)
+	- linux-2.6.24 <removed> (unimportant)
+	NOTE: this is a design flaw in TCP itself; maximum impact is a denial-of-service
+	NOTE: there is no upstream solution
+	NOTE: see http://kbase.redhat.com/faq/docs/DOC-18730 for possible mitigation via iptables
+	NOTE: also see usage of ipt_connlimit as a mitigation strategy
 CVE-2008-4608
 	RESERVED
 CVE-2008-4607
@@ -72310,7 +72311,11 @@
 	- linux-2.6 2.6.10-1 (low)
 	- linux-2.6.24 <not-affected> (fixed before initial upload)
 CVE-2004-2135 (cryptoloop on Linux kernel 2.6.x, when used on certain file systems ...)
-	TODO: This looks like a minor issue, the paper is from Feb 2004, check whether this still applies
+	- linux-2.6 2.6.32-2 (unimportant)
+	- linux-2.6.24 <removed> (unimportant)
+	NOTE: minor issue; solution (removal of cryptoloop) would be a significant change
+	NOTE: if backported to the stable releases
+	NOTE: mitigation: use dm-crypt or loop-aes for disk encrytion instead of cryptoloop
 CVE-2004-2134 (Oracle toplink mapping workBench uses a weak encryption algorithm for ...)
 	NOT-FOR-US: Oracle
 CVE-2004-2133 (Certain third-party packages for CVSup 16.1h, such as SuSE Linux, ...)

More information about the Secure-testing-commits mailing list