Bug 1124136 - (CVE-2019-8956) VUL-0: CVE-2019-8956: kernel-source: sctp local root
(CVE-2019-8956)
VUL-0: CVE-2019-8956: kernel-source: sctp local root
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/224146/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-02-04 10:33 UTC by Marcus Meissner
Modified: 2019-03-13 06:27 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Michal Kubeček 2019-02-04 12:37:41 UTC
Yes, the SCTP_SENDALL handling code fixed by commit ba59fb027307 (currently
in net tree) was indeed introduced by commit 4910280503f3 ("sctp: add support
for snd flag SCTP_SENDALL process in sendmsg") in v4.17-rc1 which was not
backported into any of our older branches.

Therefore only master and stable branches are affected.
Comment 4 Michal Kubeček 2019-02-08 21:50:51 UTC
Commit ba59fb027307 ("sctp: walk the list of asoc safely") is in mainline now
so that it's going to be in v5.0-rc6.
Comment 5 Marcus Meissner 2019-02-14 13:07:16 UTC
was there any publishing of this issue?
Comment 6 Michal Kubeček 2019-02-18 07:26:15 UTC
Doesn't really matter anymore as the fix is in master (via 4.20-rc6) and stable
(via 4.20.8) branches and we don't need it anywhere else.

Reassigning to security team.
Comment 7 Michal Kubeček 2019-02-18 07:34:05 UTC
(In reply to Michal Kubeček from comment #6)
> Doesn't really matter anymore as the fix is in master (via 4.20-rc6) ...

Should be "via 5.0-rc6".
Comment 8 Marcus Meissner 2019-02-18 07:48:24 UTC
unembargoing.
Comment 10 Marcus Meissner 2019-02-21 12:58:04 UTC
https://secuniaresearch.flexerasoftware.com/secunia_research/2019-5/                                                                                                                         

CVE-2019-8956.
Comment 11 Marcus Meissner 2019-03-13 06:27:43 UTC
can be considered done I think.