Retire several CVEs

git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@5646 e094ebfe-e918-0410-adfb-c712417f3574

1 files changed, 24 insertions, 0 deletions

diff --git a/retired/CVE-2017-14489 b/retired/CVE-2017-14489
new file mode 100644
index 00000000..58a37d3c
--- /dev/null
+++ b/retired/CVE-2017-14489
@@ -0,0 +1,24 @@
+Description: scsi: nlmsg not properly parsed in iscsi_if_rx function
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1490421
+ https://patchwork.kernel.org/patch/9923803/
+Notes:
+ bwh> Appears to have been introduced in 2.6.15 by commit 0896b7523026
+ bwh> "[SCSI] open-iscsi/linux-iscsi-5 Initiator: Transport class update for
+ bwh> iSCSI".
+ carnil> 7f564528a480084e2318cd48caba7aef4a54a77f is presumably the upstream
+ carnil> fix already fixing the issue, cf.
+ carnil> http://www.openwall.com/lists/oss-security/2017/09/25/3 but
+ carnil> "nevertheless, the buffer overwrite is still there, so a suggested
+ carnil> patch 9923803 (or its later version) is still needed."
+ carnil> Fix is pending for 4.14/scsi-fixes in:
+ carnil> https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git/commit/?h=4.14/scsi-fixes&id=c88f0e6b06f4092995688211a631bb436125d77b
+Bugs:
+upstream: released (4.14-rc3) [c88f0e6b06f4092995688211a631bb436125d77b]
+4.9-upstream-stable: released (4.9.53) [b42bf0f15cf70926f3a460e7517703fda6191ba7]
+3.16-upstream-stable: released (3.16.49) [a1b438ad8590add8f6b0b679171bf5e0d45e2da1]
+3.2-upstream-stable: released (3.2.94) [7d38a8202c4a6acf91d6163f53f3253a261bbd22]
+sid: released (4.12.13-1) [bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch]
+4.9-stretch-security: released (4.9.30-2+deb9u4) [bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch]
+3.16-jessie-security: released (3.16.43-2+deb8u4) [bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch]
+3.2-wheezy-security: released (3.2.93-1) [bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch]