[security-announce] kernel-net-sctp: security update

Sona Sarmadi sona.sarmadi at enea.com
Tue Jan 27 08:22:56 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		Enea Linux Security Advisory

=========================================================
Product/package: kernel-net-sctp: (FSL kernel: 3.8.11)
Severity: Important
Issue date: 2015-01-27
CVE Names: CVE-2014-3688
Layer: meta-enea
=========================================================
A security patch that fixes "remote memory pressure from excessive
queueing" is now available at http://linux.enea.com/4.0/patches:

README file: 0024-kernel-NET-SCTP-CVE-2014-3688.README
Patch file: 0024-kernel-NET-SCTP-CVE-2014-3688.patch

Description
===========
The SCTP implementation in the Linux kernel before 3.17.4
allows remote attackers to cause a denial of service
(memory consumption) by triggering a large number of chunks
in an association's output queue, as demonstrated by ASCONF
probes, related to net/sctp/inqueue.c and net/sctp/sm_statefuns.c.

Reference
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-3688

How to apply the patches
=======================
We recommend you to apply all existing patches available at
http://linux.enea.com/4.0/patches.

 - Preparation
Make sure that you have an installation of Enea Linux and have applied
existing patches in the right order

wget http://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
tar zxf Enea-Linux-4.0.tar.gz
cd Enea-Linux-4.0/poky/
<Fetch and apply the existing patches, please refer to
    README file for individual patch>

 - Fetch and apply the new patch
cd Enea-Linux-4.0/poky/meta-enea
wget
http://linux.enea.com/4.0/patches/0024-kernel-NET-SCTP-CVE-2014-3688.patch
patch -p1 < ./0024-kernel-NET-SCTP-CVE-2014-3688.patch


If you have any questions regarding the security patches and security
updates please contact security at enea.com.

ESRT (Enea Security Response Team)
Sona Sarmadi
Software Engineer/Security Responsible for Enea Linux
Mobile: +46 70 971 4475
www.enea.com

This message, including attachments, is CONFIDENTIAL. It may also be
privileged or otherwise protected by law. If you received this email
by mistake please let us know by reply and then delete it from your
system; you should not copy it or disclose its contents to anyone.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJUxzzQAAoJEHc+9u9ocWoUEHoP/0OIHda0/qMpy3fYDpiLgA5/
nYO2b9+yyFdNBygGcAM3QMpxsntnCZUlHxy9xAYp87yesUxJkQ3TVQtTK0JK8nqy
0324E/zXADYRHbNpeb9GKXdL2M1Ew4tUhDHkzBDvm9At2AMnhKrzenllF0HvVV6H
QZbkK+EnU/hwpE8qPV0WZQmcwvHU4mgPMlrdha0Kh7iXkPm/pprf8liICdz6sAd+
QagU3UA3wjNuFCBniqeOpf6qbLHxfLDmjLI7KRtXFdgULVDeAs1LFnUHmis1jyL1
l9zt34Csz1h/I4SG/MFDZDeCLyCivNXmJY9pR6UHzAPH9ChXW3mZDtuqu73hptGN
mOtplorgqzQgStTr20EJ0vcnuTXW55UKTQLxhoe25UUvtd1c5Qbw7R/J6eNh9VDW
1wgk/mK9PnvAcPMfu6lf+EXilwW3xGPHRPsUA0Qs+HYuzjvIC/7d/B91FRoH2bpY
mhiQAPcPm9yuNhV7RHNFieI5UNV3xzzMHz0y6XaU+xbq95u4/AgaNdJRqsC2r5Gy
8RylfhQieIqgjQJX3KbqpsN4Y6G/Xb8gwCKB5RfbJCuyAHYlSQCTUJkAabLikV/v
HC6/kL6+wAORMOVjbpchJv7L59U/pfpejLzHW0H1xJcYaS2LyUS1KPRVCtShr5xa
m096oFsam4wXyUemsJZd
=zvy3
-----END PGP SIGNATURE-----



More information about the security-announce mailing list