Ubuntu
linux package

CVE-2017-6074

Bug #1665935 reported by Steve Beattie on 2017-02-18

262

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Fix Released	Critical	Unassigned

Bug Description

Patch: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4

Kernels affected: all of them :(

MITIGATION:
Disable autoloading the DCCP ipv4 and ipv6 module autoloading by creating /etc/modprobe.d/blacklist-dccp.conf with the following contents:

  alias net-pf-2-proto-0-type-6 off
  alias net-pf-2-proto-33-type-6 off
  alias net-pf-10-proto-0-type-6 off
  alias net-pf-10-proto-33-type-6 off

See original description

CVE References

2017-6074

Steve Beattie (sbeattie) on 2017-02-18

description:	updated
summary:	- Placeholder + CVE-2017-6074
Changed in linux (Ubuntu):
importance:	Undecided → Critical

Steve Beattie (sbeattie) on 2017-02-18

description:

updated

Revision history for this message

Steve Beattie (sbeattie) wrote on 2017-02-20:

The DCCP bits in the kernel seem to be poorly maintained and should probably be added to the rarely used network protocols blacklist.

description:

updated

Steve Beattie (sbeattie) on 2017-02-20

description:	updated
description:	updated

Andy Whitcroft (apw) on 2017-02-21

Changed in linux (Ubuntu):
status:	New → Confirmed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-02-21:

This bug was fixed in the package linux - 4.8.0-39.42

---------------
linux (4.8.0-39.42) yakkety; urgency=low

* CVE-2017-6074 (LP: #1665935)
- dccp: fix freeing skb too early for IPV6_RECVPKTINFO

-- Stefan Bader <email address hidden> Mon, 20 Feb 2017 09:30:56 +0100

Changed in linux (Ubuntu):
status:	Confirmed → Fix Released
status:	Confirmed → Fix Released

Revision history for this message

Andy Whitcroft (apw) wrote on 2017-02-22: Update Released

The verification of the Stable Release Update for linux-snapdragon has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Steve Beattie (sbeattie) on 2018-06-06

information type:

Private Security → Public Security

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

CVE-2017-6074

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package