Results 1 to 9 of 9

Thread: CVE-2014-2523 nf_conntrack_proto_dccp.ko Kernal Security Fix - severe I think

  1. #1

    Exclamation CVE-2014-2523 nf_conntrack_proto_dccp.ko Kernal Security Fix - severe I think

    Hello.

    Perhaps I am being paranoid, but I noticed that CVE-2014-2523 (severity rating 10.0) has been fixed in the linux kernel patch 3.10.36 / 2014.04.03 but not in the openSuse 12.3 kernel upgrade. I would like to fix this myself asap - is there any way that I could apply this patch myself? How do I do this? Do I download the kernel source, build it then apply the patch? Or simply fix this bit in the source and create a patch and install it?

    I have developed two commercial windows packages but the linux stuff throws me for a loop at times. However, I really need to install this patch. Please point me in the right direction if possible. Last resort I can install 13.1 I guess but it is pretty new and I don't think this fix has been applied to it either.

    Thanks for your help.

    Dean Makowecky

  2. #2
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    32,352
    Blog Entries
    15

    Default Re: CVE-2014-2523 nf_conntrack_proto_dccp.ko Kernal Security Fix - severe I think

    Hi
    Already fixed last month (Comment #9), guess it's not pushed yet.....
    https://bugzilla.novell.com/show_bug.cgi?id=868653
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  3. #3

    Default Re: CVE-2014-2523 nf_conntrack_proto_dccp.ko Kernal Security Fix - severe I think

    Quote Originally Posted by malcolmlewis View Post
    Hi
    Already fixed last month (Comment #9), guess it's not pushed yet.....
    https://bugzilla.novell.com/show_bug.cgi?id=868653
    Hi. Thanks for the quick response.

    My file listing is: 15188 Feb 3 17:21 nf_conntrack_proto_dccp.ko in directory /lib/modules/3.7.10-1.28-desktop/kernel/net/netfilter.

    Note my file date is Feb. 3, and I noticed the bugzilla date was March, so I guess not pushed through yet - How do I tell? I searched for CVE-2014-2523 on openSUSE site and forums (I thought) and didn't find anything. But I did NOT search bugzilla. I didn't know it existed - now I do. Thanks.

    I have noticed that updates are sometimes not being applied properly on my system. Can I just compile that file and replace the existing one to fix the problem? Where do I find the dependencies? (As you can tell, I am not so familiar with linux. Is there any info on this or building particular modules?)

    Thanks for any help.

    Dean

  4. #4
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    32,352
    Blog Entries
    15

    Default Re: CVE-2014-2523 nf_conntrack_proto_dccp.ko Kernal Security Fix - severe I think

    Hi
    This is the fixed kernel here;
    http://download.opensuse.org/reposit...12.3/standard/

    From the changes file;
    https://build.opensuse.org/source/Ke...0e11e13838a157

    Code:
    -------------------------------------------------------------------
    Mon Mar 24 14:14:23 CET 2014 - jeffm@suse.com
    
    - netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages
      (bnc#868653 CVE-2014-2523).
    - commit 956ad17
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  5. #5

    Default Re: CVE-2014-2523 nf_conntrack_proto_dccp.ko Kernal Security Fix - severe I think

    Hi.

    I use the desktop kernel configuration - I'll switch back to the default configuration for greater security and submit a bug report to bugzilla.

    Thanks for your help.

    Dean

  6. #6

    Default Re: CVE-2014-2523 nf_conntrack_proto_dccp.ko Kernal Security Fix - severe I think

    Quote Originally Posted by DMakowecky View Post
    I use the desktop kernel configuration - I'll switch back to the default configuration for greater security and submit a bug report to bugzilla.
    Why?

    That repo malcomlewis pointed to contains kernel-desktop as well with the same fixes (they are built from the exact same sources including the same patches anyway).

    And this is the 12.3 kernel repo, AIUI thos is used for preparing official updates for 12.3, so the fixes in there will be released as update sooner or later I think.

  7. #7

    Default Re: CVE-2014-2523 nf_conntrack_proto_dccp.ko Kernal Security Fix - severe I think

    I applied the fixed kernel pointed to by Malcolm - THANKS!

    I also downloaded, compiled and installed the latest openssl and gnuTLS packages. Now MUCH safer I hope. I really have to find out why the patches didn't show up in my apper/zypper repositories and others weren't installed properly when I applied them.

    Thanks very much for your help.

    Dean Makowecky

  8. #8

    Default Re: CVE-2014-2523 nf_conntrack_proto_dccp.ko Kernal Security Fix - severe I think

    Quote Originally Posted by DMakowecky View Post
    I also downloaded, compiled and installed the latest openssl and gnuTLS packages. Now MUCH safer I hope. I really have to find out why the patches didn't show up in my apper/zypper repositories and others weren't installed properly when I applied them.
    On openSUSE such fixes are normally backported to the shipped version, there are no version updates released as official online updates.
    Maybe that just confused you and you actually DID have the patches installed?

    F.e. openssl is still at version 1.0.1e, but the openSUSE package does contain the fix for the heartbleed bug and is not vulnerable any more.

    You can see that in the package's changelog:
    Code:
    # rpm -q openssl
    openssl-1.0.1e-11.32.1.x86_64
    # rpm -q --changelog openssl
    * Tue Apr 08 2014 shchang@suse.com
    - Fixed bug[ bnc#872299] CVE-2014-0160: openssl: missing bounds checks for heartbeat messages
      Add file: CVE-2014-0160.patch
    ...
    In this specific case (openssl), a version update to 1.0.1g will be released as well though, to avoid misunderstandings.

  9. #9

    Default Re: CVE-2014-2523 nf_conntrack_proto_dccp.ko Kernal Security Fix - severe I think

    Yep. Oops.

    At least I erred on the safe side (salvage some dignity anyhow).

    Dean

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •