Ignore CVE-2017-1000112 for 3.2, and retire it

git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@5697 e094ebfe-e918-0410-adfb-c712417f3574

1 files changed, 18 insertions, 0 deletions

diff --git a/retired/CVE-2017-1000112 b/retired/CVE-2017-1000112
new file mode 100644
index 00000000..b926309c
--- /dev/null
+++ b/retired/CVE-2017-1000112
@@ -0,0 +1,18 @@
+Description: Exploitable memory corruption due to  UFO to non-UFO path switch
+References:
+ http://www.openwall.com/lists/oss-security/2017/08/10/5
+Notes:
+ carnil> Introduced in e89e9cf539a28df7d0eb1d0a545368e9920b34ac
+ bwh> Exploitation is possible by unprivileged users after commit 40ba330227ad
+ bwh> "udp: disallow UFO for sockets with SO_NO_CHECK option", or with
+ bwh> CAP_NET_ADMIN (in any namespace).  This is low severity for 3.2 and also
+ bwh> will be hard to fix there without revisiting CVE-2013-4470.
+Bugs:
+upstream: released (4.13-rc5) [85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa]
+4.9-upstream-stable: released (4.9.43) [33dc6a6a85f1d6ce71e7056d009b8a5fcbf10f70]
+3.16-upstream-stable: released (3.16.47) [08676246d893e3a42a541a2ef1291f2ea62c5b06]
+3.2-upstream-stable: ignored "Low severity and difficult to backport"
+sid: released (4.12.6-1) [bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch]
+4.9-stretch-security: released (4.9.30-2+deb9u4) [bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch]
+3.16-jessie-security: released (3.16.43-2+deb8u4) [bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch]
+3.2-wheezy-security: ignored "Low severity and difficult to backport"