[security-announce] kernel-net-sctp: security update

Sona Sarmadi sona.sarmadi at enea.com
Mon Jan 26 09:45:49 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	Enea Linux Security Advisory

sctp: fix panic on duplicate ASCONF chunks
=========================================================
Product/package: kernel-net-sctp: (FSL kernel: 3.8.11)
Severity: Important
Issue date: 2015-01-26
CVE Names: CVE-2014-3687
Layer: meta-enea
=========================================================
A security patch that fixes CVE-2014-368 is now available
in the http://linux.enea.com/4.0/patches:

README file: 0023-kernel-NET-SCTP-CVE-2014-3687.README
Patch file: 0023-kernel-NET-SCTP-CVE-2014-3687.patch

Description
===========
The sctp_assoc_lookup_asconf_ack function in
net/sctp/associola.c in the SCTP implementation in the
Linux kernel through 3.17.2 allows remote attackers to
cause a denial of service (panic) via duplicate ASCONF
chunks that trigger an incorrect uncork within the
side-effect interpreter.

Reference
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-3687

How to apply the patches
=========================
We recommend you to apply all existing patches available at
http://linux.enea.com/4.0/patches.

- - Make sure that you have an installation of Enea Linux and have
applied all previous patches
wget http://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
tar zxf Enea-Linux-4.0.tar.gz
<Apply the existing patches>
 wget
http://linux.enea.com/4.0/patches/0001-Fix-for-OpenSSL-security-vulnerabilities.patch
 patch -p1 < ./0001-Fix-for-OpenSSL-security-vulnerabilities.patch
 wget http://linux.enea.com/4.0/patches/0002-Fix-for-shellshock.patch
 patch -p1 < ./0002-Fix-for-shellshock.patch
 wget
http://linux.enea.com/4.0/patches/0003-Fix-for-OpenSSL-CVE-2014-3566.patch
 patch -p1 < ./0003-Fix-for-OpenSSL-CVE-2014-3566.patch
 ...


- - Fetch and apply the new patch
cd Enea-Linux-4.0/poky/meta-enea
wget
http://linux.enea.com/4.0/patches/0023-kernel-NET-SCTP-CVE-2014-3687.patch
patch -p1 < ./0023-kernel-NET-SCTP-CVE-2014-3687.patch

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

ESRT (Enea Security Response Team)
Sona Sarmadi
Software Engineer/Security Responsible for Enea Linux
Mobile: +46 70 971 4475
www.enea.com

This message, including attachments, is CONFIDENTIAL. It may also be
privileged or otherwise protected by law. If you received this email
by mistake please let us know by reply and then delete it from your
system; you should not copy it or disclose its contents to anyone.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJUxf69AAoJEHc+9u9ocWoUVcgP+weBpL8ahDyE+l0hDcnI3xEU
JX1Ac6VbXVEN4RMx+mvB6Ff0L5QvYZNLHuYbY13RXzFltULg2Ba2gOZTkydt2Xw/
GQ22RhW7gQXqIXpCdOfJKcc6WzNwrLiGxsZAqb1I6bdJc/MBa2i0pE928NDj8wIC
mX57gfKpgDBO8FVfgmTmfN/0UpmySv5mFy2hCmja2U0i3bsnJOgZ75AyYZnGxr4I
rDy/fwuBoOem/bj0teN7TQpkRRtEdSGSlIv/AScpCs1bvz/RcZE1x8eoQkFaK+R+
RLJL3C6JXY/JaN/BxLd9efj9tb8lLeCJ95L7kQ0FfAFwkYka2Dr2LP9jIYQ4BqEv
viLIWkmu7RjfVnsDiTYOW+kTP5G0xeoiivtsYT6H+qTFGxvScskmhPL2SCSyBev9
DOoCM+BseV3nsqxS/leQkADsi5rsfwjkVXvoCKtFr8tcX6vFGfqN9X4cOntzYwk/
GyFQczlBlnjZrBIJRl3IrM+Gj0lOp4L1dNRKlmmRS1GDoSZCPu0KAxFnUYMu2474
jNuIXInudj8c6evvir1yL+DBPdrOEdNwdgFwbVPfPUO/nemqXccPvNidPWFsifWC
26MmEFCpsna4tXxTlqJzKUeG+v0iy9Z1Cc2WhSaqQwEOF+ibFKqx1odvAV3YP/mn
hJAV9olk8A5l1Zomgu80
=1lni
-----END PGP SIGNATURE-----



More information about the security-announce mailing list