Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 508010

Summary: <sys-kernel/openvz-sources-2.6.32.88.4 : multiple vulnerabilities (CVE-2014-2523)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: KernelAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: andreis.vinogradovs, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/58060/
See Also: https://bugs.gentoo.org/show_bug.cgi?id=505658
Whiteboard: B1 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-04-18 13:48:36 UTC 
From ${URL} :

Description

OpenVZ has issued an update for kernel. This fixes some weaknesses and multiple vulnerabilities, which can 
be exploited by malicious, local users in a guest virtual machine to cause a DoS (Denial of Service), by 
malicious, local users to disclose potentially sensitive information, cause a DoS or potentially gain 
escalated privileges, and by malicious people to cause a DoS.

For more information:
SA56878
SA57594


Solution:
Update kernel branch RHEL6 to 042stab088.4.

Original Advisory:
OpenVZ:
http://wiki.openvz.org/Download/kernel/rhel6/042stab088.4


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Peter Volkov (RETIRED) gentoo-dev 2014-06-08 16:56:55 UTC 
042stab088.4.

That said I've bumped 042stab090.3 to deal with CVE-2014-3153.
Comment 2 Andreis Vinogradovs ( slepnoga ) 2014-06-09 07:01:31 UTC 
Peter, please start stabilization process ( on x86 and amd64)
Comment 3 Peter Volkov (RETIRED) gentoo-dev 2014-06-17 06:06:42 UTC 
+  17 Jun 2014; Peter Volkov <pva@gentoo.org>
+  -openvz-sources-2.6.32.85.20.ebuild, -openvz-sources-2.6.32.88.4.ebuild,
+  -openvz-sources-2.6.32.90.2.ebuild, openvz-sources-2.6.32.90.3.ebuild:
+  x86/amd64 stable, security bug #508010 and bug #513084 wrt Andreis
+  Vinogradovs ( slepnoga ) and Agostino Sarubbo. Drop old.
Comment 4 Sergey Popov (RETIRED) gentoo-dev 2014-06-19 06:47:05 UTC 
Thanks, guys

Kernel package, closing as noglsa
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-08-10 21:58:18 UTC 
CVE-2014-2523 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2523):
  net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6
  uses a DCCP header pointer incorrectly, which allows remote attackers to
  cause a denial of service (system crash) or possibly execute arbitrary code
  via a DCCP packet that triggers a call to the (1) dccp_new, (2) dccp_packet,
  or (3) dccp_error function.