Debian Bug report logs -
#971269
dpdk: CVEs for multiple vhost crypto issues
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, security@debian.org, Debian DPDK Maintainers <pkg-dpdk-devel@lists.alioth.debian.org>
:
Bug#971269
; Package src:dpdk
.
(Mon, 28 Sep 2020 15:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Luca Boccassi <bluca@debian.org>
:
New Bug report received and forwarded. Copy sent to security@debian.org, Debian DPDK Maintainers <pkg-dpdk-devel@lists.alioth.debian.org>
.
(Mon, 28 Sep 2020 15:45:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: dpdk
Version: 18.11-1
Severity: important
Tags: security
X-Debbugs-cc: security@debian.org
Forwarded: https://bugs.dpdk.org/show_bug.cgi?id=272
Fixed: 18.11.10-1~deb10u1 19.11.5-1
The vhost crypto feature in src:dpdk is affected by several security
issues:
CVE: CVE-2020-14374
Severity: 8.8 (High)
CVSS scores: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Description: dpdk: Remote Code Execution in vhost_crypto (VM Escape)
CVE: CVE-2020-14375
Severity: 7.8 (High)
CVSS scores: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Description: dpdk: Time-of-check time-of-use vulnerabilities throughout
vhost_crypto.c
CVE: CVE-2020-14376
Severity: 7.8 (High)
CVSS scores: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Description: dpdk: Buffer overflow copying iv_data from guest to
host(prepare_sym_cipher_op & prepare_sym_chain_op)
CVE: CVE-2020-14377
Severity: 7.1 (High)
CVSS scores: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Description: dpdk: write_back_data buffer over read
(cipher->para.dst_data_len & de= sc->len)
CVE: CVE-2020-14378
Severity: 3.3 (Low)
CVSS scores: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Description: dpdk: Partial Denial of Service due to Integer Underflow
Version 16.11.x in Stretch is not affected.
Popularity of this feature seems low, so it would probably be
acceptable to fix it only via proposed-updates in Buster.
--
Kind regards,
Luca Boccassi
[signature.asc (application/pgp-signature, inline)]
Marked as fixed in versions dpdk/18.11.10-1~deb10u1.
Request was from Luca Boccassi <bluca@debian.org>
to control@bugs.debian.org
.
(Mon, 28 Sep 2020 15:51:03 GMT) (full text, mbox, link).
Marked as fixed in versions dpdk/19.11.5-1.
Request was from Luca Boccassi <bluca@debian.org>
to control@bugs.debian.org
.
(Mon, 28 Sep 2020 15:51:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Sep 29 10:24:40 2020;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.