Closed mend-for-github-com[bot] closed 1 year ago
:information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #45
:information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #45
Vulnerable Library - linux-yocto-devv2.6.34.10
Linux Embedded Kernel - tracks the next mainline release
Library home page: https://git.yoctoproject.org/git/linux-yocto-dev
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Vulnerable Source Files (1)
/release/src-rt-7.14.114.x/src/linux/linux-2.6.36/crypto/cryptd.c
Vulnerabilities
Details
CVE-2018-17182
### Vulnerable Library - linux-yocto-devv2.6.34.10Linux Embedded Kernel - tracks the next mainline release
Library home page: https://git.yoctoproject.org/git/linux-yocto-dev
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)/release/src-rt-7.14.114.x/src/linux/linux-2.6.36/include/linux/mm_types.h /release/src-rt-7.14.114.x/src/linux/linux-2.6.36/include/linux/mm_types.h /release/src-rt-7.14.114.x/src/linux/linux-2.6.36/include/linux/mm_types.h
### Vulnerability DetailsAn issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations.
Publish Date: 2018-09-19
URL: CVE-2018-17182
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17182
Release Date: 2018-09-19
Fix Resolution: v4.19-rc4
CVE-2011-2484
### Vulnerable Library - linux-yocto-devv2.6.34.10Linux Embedded Kernel - tracks the next mainline release
Library home page: https://git.yoctoproject.org/git/linux-yocto-dev
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)/release/src-rt-7.14.114.x/src/linux/linux-2.6.36/kernel/taskstats.c /release/src-rt-7.14.114.x/src/linux/linux-2.6.36/kernel/taskstats.c /release/src-rt-7.14.114.x/src/linux/linux-2.6.36/kernel/taskstats.c
### Vulnerability DetailsThe add_del_listener function in kernel/taskstats.c in the Linux kernel 2.6.39.1 and earlier does not prevent multiple registrations of exit handlers, which allows local users to cause a denial of service (memory and CPU consumption), and bypass the OOM Killer, via a crafted application.
Publish Date: 2011-06-24
URL: CVE-2011-2484
### CVSS 3 Score Details (6.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-2484
Release Date: 2011-06-24
Fix Resolution: kernel-headers - 2.6.32-131.17.1,2.6.18-274.7.1,2.6.32-131.17.1;kernel-debuginfo-common-x86_64 - 2.6.32-131.17.1;kernel-PAE - 2.6.18-274.7.1;kernel-doc - 2.6.18-274.7.1,2.6.32-131.17.1;kernel-xen - 2.6.18-274.7.1,2.6.18-274.7.1;kernel-PAE-devel - 2.6.18-274.7.1;perf - 2.6.32-131.17.1,2.6.32-131.17.1;kernel-debuginfo - 2.6.32-131.17.1,2.6.32-131.17.1;kernel-debug-devel - 2.6.18-274.7.1,2.6.32-131.17.1,2.6.32-131.17.1,2.6.18-274.7.1;perf-debuginfo - 2.6.32-131.17.1,2.6.32-131.17.1;kernel-debug-debuginfo - 2.6.32-131.17.1,2.6.32-131.17.1;kernel-debug - 2.6.32-131.17.1,2.6.32-131.17.1,2.6.18-274.7.1,2.6.18-274.7.1;kernel-devel - 2.6.32-131.17.1,2.6.32-131.17.1,2.6.18-274.7.1,2.6.18-274.7.1;kernel-firmware - 2.6.32-131.17.1;kernel - 2.6.18-274.7.1,2.6.32-131.17.1,2.6.18-274.7.1,2.6.18-274.7.1,2.6.32-131.17.1,2.6.32-131.17.1;kernel-xen-devel - 2.6.18-274.7.1,2.6.18-274.7.1;kernel-debuginfo-common-i686 - 2.6.32-131.17.1;kernel-headers - 2.6.18-274.7.1
CVE-2014-9644
### Vulnerable Library - linux-yocto-devv2.6.34.10Linux Embedded Kernel - tracks the next mainline release
Library home page: https://git.yoctoproject.org/git/linux-yocto-dev
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (1)/release/src-rt-7.14.114.x/src/linux/linux-2.6.36/crypto/cryptd.c
### Vulnerability DetailsThe Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-2013-7421.
Publish Date: 2015-03-02
URL: CVE-2014-9644
### CVSS 3 Score Details (4.0)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-9644
Release Date: 2015-03-02
Fix Resolution: 3.18.5
CVE-2011-2494
### Vulnerable Library - linux-yocto-devv2.6.34.10Linux Embedded Kernel - tracks the next mainline release
Library home page: https://git.yoctoproject.org/git/linux-yocto-dev
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (1)/release/src-rt-7.14.114.x/src/linux/linux-2.6.36/kernel/taskstats.c
### Vulnerability Detailskernel/taskstats.c in the Linux kernel before 3.1 allows local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another user's password.
Publish Date: 2012-06-13
URL: CVE-2011-2494
### CVSS 3 Score Details (4.0)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-2494
Release Date: 2012-06-13
Fix Resolution: 3.1
CVE-2014-4652
### Vulnerable Library - linux-yocto-devv2.6.34.10Linux Embedded Kernel - tracks the next mainline release
Library home page: https://git.yoctoproject.org/git/linux-yocto-dev
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (1)Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allows local users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access.
Publish Date: 2014-07-03
URL: CVE-2014-4652
### CVSS 3 Score Details (2.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-4652
Release Date: 2014-07-03
Fix Resolution: 3.15.2