[security-announce] kernel-net-sctp: security update

Sona Sarmadi sona.sarmadi at enea.com
Sat Jan 24 14:27:36 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

			Enea Linux Security Advisory
Fix skb_over_panic when receiving malformed ASCONF chunks

======================================================================
Product/package: kernel-net-sctp: (FSL kernel: 3.8.11)
Severity: Moderate
Issue date: 2015-01-24
CVE Names: CVE-2014-3673
Layer: meta-enea
======================================================================
A security patch that fixes CVE-2014-3673 is now available in the
"http://linux.enea.com/4.0/patches" folder:

README file: 0022-kernel-NET-SCTP-CVE-2014-3673.README	
Patch file: 0022-kernel-NET-SCTP-CVE-2014-3673.patch

Description
===========
The SCTP implementation in the Linux kernel through 3.17.2
allows remote attackers to cause a denial of service
(system crash) via a malformed ASCONF chunk, related to
net/sctp/sm_make_chunk.c and net/sctp/sm_statefuns.c.

Reference
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3673

How to apply the patches
=========================
We recommend you to apply all existing patches available at
http://linux.enea.com/4.0/patches folder but if you decide of some
reason to skip any patch/es, manual modification of recipes (xxxx.bb
or xxxx.bbappend) might be needed.

- - Make sure that you have an installation of Enea Linux:
wget http://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
tar zxf Enea-Linux-4.0.tar.gz
 <Apply the existing patches>

- - Fetch and apply the new patch
cd Enea-Linux-4.0/poky/meta-enea
wget
http://linux.enea.com/4.0/patches/0022-kernel-NET-SCTP-CVE-2014-3673.patch
patch -p1 < ./0022-kernel-NET-SCTP-CVE-2014-3673.patch


If you have any questions regarding the security patches and security
updates please contact security at enea.com.

ESRT (Enea Security Response Team)
Sona Sarmadi
Software Engineer/Security Responsible for Enea Linux
Mobile: +46 70 971 4475
www.enea.com

This message, including attachments, is CONFIDENTIAL. It may also be
privileged or otherwise protected by law. If you received this email
by mistake please let us know by reply and then delete it from your
system; you should not copy it or disclose its contents to anyone.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJUw53HAAoJEHc+9u9ocWoUB3QP/jwMIDLl7zS6NK3JTNRABUPN
rKq+Dfj1xiK0F7jpC9y5925vWYVU7/AqD9h53zEn6gjH+ZmlRI+AQogFus1BOnbf
glVKdRN9meKxMerrswPp283S3hZlb3IUQW6sHYFi1ZfBxr9Z9CJYKgJm+qDF6GMN
hhP4axdPv0FPwxgmQB2gltnywK0iU9XwtTaFgJt2F2BJ7X4jZytzBYbAhyN9n+ba
SpHP5sideySIGOi11sgLOikCRZt51SGpKOjjV/S2zYSa/SeX/7d0XygFQrXw9bT4
KvjyaDoR82hE/qFBBhB+p0k11Y6MQfHIKciVvD85IxexssWSVWWk1NZNNo2+3dMF
jQW78OTQtj34rCWLpO9ltJcG+Jn39J8TfABBopOaTMGHSzzNxx2bq8sHg3xmS2CB
aCjUoF/7up+yvpn/TKRq/gwlSuKnRuoQXpF3vdkeynHwlXYXllPhV+Ta0kLuHmFO
lI7WmhvB7KiW6LZ5baxjvb/BPFYGgr+fgevmtktQhZsjNq/pcXaHdJXcTppTBgrw
fVFRVSngul4SnEB7HJem9edg2Ig+U4YlLe9pD22iz1vrFcea22Bt++8/jtz0aL+b
EVznq8kJMfIHAtCL3M1KiMP5sxE0FawolcB0b0Gdj7hLEzE9LLbLhjuPOkcGGqXS
dRqur9VoebirC9MeWJyp
=wZDK
-----END PGP SIGNATURE-----



More information about the security-announce mailing list