[security-announce] Kernel: Security update

Sona Sarmadi sona.sarmadi at enea.com
Fri Apr 24 14:53:27 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	Enea Linux Security Advisory

=========================================================
Product/package: kernel (FSL kernel: 3.8.11)
Severity: High
CVE Names: CVE-2015-1412
kernel: net: slab corruption from use after free on INIT
Layer: meta-enea
=========================================================

This update fixes a use-after-free flaw which was found
in the way the Linux kernel's SCTP implementation handled
authentication key reference counting during INIT
collisions.

README file: 0064-PPC-kernel-net-CVE-2015-1421.README
Patch file:  00064-PPC-kernel-net-CVE-2015-1421.patch
Signed (ascii-armored signatures):
00064-PPC-kernel-net-CVE-2015-1421.patch.asc
sha1sum: 00064-PPC-kernel-net-CVE-2015-1421.patch.sha1

Description
===========
Use-after-free vulnerability in the sctp_assoc_update
function in net/sctp/associola.c in the Linux kernel
before 3.18.8 allows remote attackers to cause a denial
of service (slab corruption and panic) or possibly have
unspecified other impact by triggering an INIT collision
that leads to improper handling of shared-key data.

References
==========
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1421

How to apply the patches
=======================
- - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing FSL kernel patches in the right order

wget https://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
tar zxf Enea-Linux-4.0.tar.gz
cd Enea-Linux-4.0/poky/
<Fetch and apply the existing patches >

- - Fetch and apply the new patch
cd Enea-Linux-4.0/poky/meta-enea
wget
https://linux.enea.com/4.0/patches/0064-PPC-kernel-net-CVE-2015-1421.pat
ch
patch -p1 < ./0064-PPC-kernel-net-CVE-2015-1421.patch


If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com

This message, including attachments, is CONFIDENTIAL. It may also be
privileged or otherwise protected by law. If you received this email
by mistake please let us know by reply and then delete it from your
system; you should not copy it or disclose its contents to anyone.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJVOjzGAAoJEHc+9u9ocWoUBeQP/3UpmSLzgyvUiv4sElAVgCCS
edLYWOUAGUpfr+ylmMSTiu5jnIjRlExqr8zDxnoV3hH9sc555D3x+WQStpwjRC13
FQQEqZZj1IvDpKO3mGUHFLxxSrxKttElib8YDvlt+BwMPtMca1N2SUYLnA0TmNIc
G1drys7sGDCalre60X/TkXNadtgwLBXSuexXlKumqM9URnp5W1v6lPM5B0a02fKF
NFt3jEjseuDTL3u2AyFkKTdH4oQGw6cbcZLbeWfuMZC3ff2welolZvj0ZBFG1Yoj
BfW6H39qDjl7hH2fTm0ISt1oso/KiWKcUBPV3oaEieIfD2IrzTuviW4YXX275g0+
DkGJMer87UWKm8REcGT+0nGzOLRZE4zbyWpgQUmEAcY2eefzRdMrUtxwwEpkLUOS
g9Htt2i/TD7oHGm4QPa87N5pdf4a0WzD3EneAnW0sv0KGx4jM89dYwKGmOOukcmT
lhkQwkeKXVl1OqWXnKrATUgKFXNI9adeF8fzku12l2V3KYxug/prNgQRkJtPup5U
B44hoybeMuvwsmWSlB2DYcFjQWr6WVZTU8J3PzdQrnG7SrgVyWjQqQRjRYfptCFp
do9xwQXHd5vsbICyfjEgag9aln3Aj8RXl208a6hnJWEPOTI9sR47/8itYp2S8U06
TKeXi+XaQ0vHssMMhefH
=583r
-----END PGP SIGNATURE-----


More information about the security-announce mailing list