* [dpdk-announce] Vhost-user CVE-2018-1059
@ 2018-04-23 15:55 Maxime Coquelin
0 siblings, 0 replies; only message in thread
From: Maxime Coquelin @ 2018-04-23 15:55 UTC (permalink / raw)
All versions of DPDK's Vhost-user library are vulnerable to out-of-bound
accesses initiated by a buggy or malicious guest.
This vulnerability has been assigned CVE-2018-1059.
Users are strongly encouraged to upgrade to the latest releases:
- v16.11.6 (LTS): https://fast.dpdk.org/rel/dpdk-16.11.6.tar.xz
- v17.08.2: https://fast.dpdk.org/rel/dpdk-17.08.2.tar.xz
- v17.11.2 (LTS): https://fast.dpdk.org/rel/dpdk-17.11.2.tar.xz
- v18.02.1: https://fast.dpdk.org/rel/dpdk-18.02.1.tar.xz
Starting DPDK v17.11, rte_vhost_gpa_to_vva() API was introduced for
external Vhost backends to be able to translate guest's physical
addresses to Vhost process's virtual addresses.
This API is now marked as deprecated, and users must replace its use
with the new rte_vhost_va_from_guest_pa() API. This new API takes an
extra length parameter that must be checked properly.
Patches fixing this vulnerability will soon be posted to the dev
mailing-list for upstream master, and to the stable mailing-list for
^ permalink raw reply [flat|nested] only message in thread
only message in thread, back to index
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-23 15:55 [dpdk-announce] Vhost-user CVE-2018-1059 Maxime Coquelin
Archives are clonable:
git clone --mirror http://inbox.dpdk.org/announce/0 announce/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 announce announce/ http://inbox.dpdk.org/announce \
Newsgroup available over NNTP:
AGPL code for this site: git clone https://public-inbox.org/ public-inbox