From 0d89d6ad6568503b3ac9a2345e7d52fff4317599 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 5 Dec 2018 22:06:22 +0100
Subject: Retire CVE-2018-18559

---
 retired/CVE-2018-18559 | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 retired/CVE-2018-18559

(limited to 'retired/CVE-2018-18559')

diff --git a/retired/CVE-2018-18559 b/retired/CVE-2018-18559
new file mode 100644
index 00000000..426f0fcd
--- /dev/null
+++ b/retired/CVE-2018-18559
@@ -0,0 +1,18 @@
+Description: use-after-free due to a race condition between anout_add from setsockopt and bind on an AF_PACKET socket
+References:
+ https://blogs.securiteam.com/index.php/archives/3731
+Notes:
+ carnil> Issue exists because of the 15fe076edea787807a7cdc168df832544b58eba6 
+ carnil> (4.15-c2) incomplete fix for a race condition. It was backported e.g.
+ carnil> as well to 5471afeef41388ec08e6cf610640aaf89805d6db (4.9.70) and
+ carnil> a0992bdf1e286a7b5e0dd696e2f2fd0fcbe08c7c (3.16.55).
+ carnil> The actual fix is 15fe076edea787807a7cdc168df832544b58eba6 complete.
+ carnil> https://bugzilla.redhat.com/show_bug.cgi?id=1641878#c3
+ carnil> https://bugzilla.novell.com/show_bug.cgi?id=1112859
+Bugs:
+upstream: released (4.15-rc2) [15fe076edea787807a7cdc168df832544b58eba6]
+4.9-upstream-stable: released (4.9.70) [5471afeef41388ec08e6cf610640aaf89805d6db]
+3.16-upstream-stable: released (3.16.55) [a0992bdf1e286a7b5e0dd696e2f2fd0fcbe08c7c]
+sid: released (4.14.7-1)
+4.9-stretch-security: released (4.9.80-1)
+3.16-jessie-security: released (3.16.56-1)
-- 
cgit v1.2.3